Game theoretical framework for analyzing BlockchainsRobustness

P. Zappalà ∗, M. Belotti †, M. Potop-Butucaru ‡, S. Secci§

May 27, 2020

Abstract

Blockchains systems evolve in complex environments that mix classical patterns of faults(e.g crash faults, transient faults, Byzantine faults, churn) with selfish, rational or irrational be-haviors typical to economical systems. In this paper we propose a game theoretical frameworkin order to formally characterize the robustness of blockchains systems in terms of resilience torational deviations and immunity to Byzantine behaviors. Our framework includes necessaryand sufficient conditions for checking the immunity and resilience of games and a new tech-nique for composing games that preserves the robustness of individual games. We prove thepractical interest of our formal framework by characterizing the robustness of three differentprotocols popular in blockchain systems: a HTLC-based payment scheme (a.k.a. LightningNetwork), a side-chain protocol and a cross-chain swap protocol.

1 IntroductionDistributed Ledger Technologies (DLTs) allow sharing a ledger of transactions among multipleusers forming a peer-to-peer (P2P) network. DLTs characterized by a block architecture are called“Blockchains”; transactions are stored in blocks that are chained to each other by means of cryp-tographic tools such as hash functions. Blockchains enable its users to transfer cryptoassets ina decentralized manner. Blockchain systems are the composition of various protocolar buildingblocks.

Beyond the traditional blockchain protocols that exist today [7, 12, 17, 20, 21, 34, 42], theliterature proposes other protocols that respectively define and regulate interactions outside theblockchain (layer-2 protocols [22]) and between different blockchains (cross-chain protocols [15]).Each of these protocols establishes the instructions that a user must follow in order to interactwith or through a blockchain.

In a Blockchain system players can be classified in three different categories accordingly to [5]:(i) players who follow the prescribed protocol are called altruistic, (ii) those who act in order tomaximise their own benefit are said to be rational and, (iii) players who may rationally deviate fromthe prescribed protocol are defined as rational Byzantine. The latest category can be redefined,according to [27], to include any possible arbitrary protocol deviation (including irrational).

According to [5] protocols can be classified in: Byzantine Altruistic Rational Tolerant (BART)protocols that guarantee the safety and liveness properties in the presence of rational deviationsand Incentive-Compatible Byzantine Fault Tolerant (IC-BFT) that incentivize rational agents tofollow the prescribed protocol, also in presence of Byzantine players.

Game theory is the branch of mathematics used to model the decision-making process in pres-ence of multiple rational agents, called players. It helps in designing IC-BFT protocols guaranteeing∗Paolo Zappalà is with Cedric, Cnam, 75003 Paris, France (e-mail: paolo.zappala@lecnam.net). This work has

been done while the author was affiliated with LIP6, CNRS UMR 7606, Sorbonne University.†Marianna Belotti is with Cedric, Cnam, 75003 Paris, France, and also with Département de la Transformation

Numérique, Caisse des Dépôts, 75013 Paris, France (e-mail: marianna.belotti@caissedesdepots.fr).‡Maria Potop-Butucaru is with Lip6, CNRS UMR 7606, Sorbonne University, 75005 Paris, France (e-mail:

maria.potop-butucaru@lip6.fr).§Stefano Secci is with Cedric, Cnam, 75003 Paris, France (e-mail: stefano.secci@cnam.fr).

1

that rational players follow the prescribed protocol’s instructions. This is possible whenever thestrategy profile “following the protocol” is a Nash equilibrium since it is adopted (if it exists) byrational players [31]. The concept of Nash equilibrium, where no player has interest in individ-ually deviating, is not representative of situations where players can form coalitions and deviateas groups. As P2P systems, blockchains foresee the possibility for users to form coalition and tocooperatively deviate from a prescribed protocol.

The current literature on game theoretical models applied to the blockchain environment fo-cuses on a specific class of blockchain users, miners, considered as rational decision makers aimingat maximizing their rewards. There exists a wide plethora of IC-BFT protocols (surveyed in [30])for Proof-of-Work blockchains (e.g., Bitcoin) where deviating miners suffer losses of computationalpower. In all these works the solution concept used to express their rationality is the Nash equi-librium. Alternative game theoretical frameworks to model miners’ behaviour have been recentlyproposed. In [6] the authors model the Byzantine-consensus based blockchains as a committee co-ordination game. They analyze equilibrium interactions between Byzantine and rational committeemembers and derive conditions under which consensus properties are satisfied or not in equilib-rium. A Nash equilibrium variant for asynchronous environments (i.e., ex post Nash equilibrium)is introduced in [4] to consider scheduling adversaries. Authors in [11, 14, 19, 26, 40] adopt dif-ferent utility functions for miners that consider costs and relative rewards. The non-deterministicsetting of blockchain systems is taken into account in [37] where authors introduce the concept ofρ-coalition-safe and ε-Nash equilibrium, generalized in [27] with Equilibria with Virtual Payoffs.

Concerning layer-2 and cross-chain protocols, game theoretical analysis are carried out by [8,9, 13]. More precisely, in [8, 9] design IC-BFT off-chain channels. In [10] authors examine variousnetwork structures and determine for each one of them the constraints under which they constitutea Nash equilibrium. Authors in [13] propose a game theoretical framework based on Nash equilibriato evaluate the stability of the existing cross-chain swap protocols.

Our contribution. This paper presents a game theoretical framework to analyze the ro-bustness of blockchains systems, in terms of resilience to rational deviations and immunity toByzantine behaviors; it is the first one, as of our knowledge, with respect to the current stateof the art. The closest work to ours was proposed in [3] where the authors introduce the con-cept of mechanism (a pair game-prescribed strategy). In order to characterize the robustness ofa distributed system they introduce the notions of k-resiliency and t-immunity. In a k-resilientequilibrium there is no coalition of k players having an incentive to simultaneously change strategyto get a better outcome. On the other hand, the concept of t-immunity evaluates the risk of aset of t players to have a Byzantine behavior. The property of t-immunity is often impossible tobe satisfied by practical systems [2]. We introduce therefore the concept of t-weak-immunity. Amechanism is t-weak-immune if any altruistic player receives no worse payoff than the initial state,no matter how any set of t players deviate from the prescribed protocol. We further extend theframework in [3] by proving the necessary and sufficient conditions for a mechanism to be optimalresilient and t-weak-immunity. Moreover, we define a new operator for mechanism composition andprove that the composition preserves the robustness properties of the individual games. Using ourframework we studied (k, t)-robustness and (k, t)-weak-robustness (i.e., optimal k-resilience and t-weak-immunity) of Lightning Network protocol [39], the side-chain protocol [38] and the very firstimplementation of a cross-chain swap protocol proposed in [35] and formalized in [24]. Our analysisspotted the weakness of Lightning Network protocol [39] to Byzantine behaviour and therefore wecorrect and further analyze a modified version of this protocol. Our results are reported in Table 1.

The paper is structured as follows. Section 2 is devoted to the definition of mechanisms, (k, t)-weak-robustness, necessary and sufficient conditions for optimal resilience and weak immunity andcomposition of mechanisms. Section 3 applies the methodology developed in Section 2 to provethe robustness of three different protocols popular in blockchain systems. Section 4 concludes thepaper.

2

Table 1: Immunity and resilience properties for Lightning Network [39], the modified version witha different closing module, a side-chain protocol [38] and a cross-chain swap protocol [24, 35].

Protocol Optimal Resilience Weak Immunity Immunity

Lightning Network [39] Yes No NoOpening module Yes Yes NoClosing module Yes No NoUpdating module Yes Yes NoHTLC module Yes Yes NoRouting module Yes Yes No

Modified Lightning Network Yes Yes NoSide-chain (Platypus [38]) Yes Yes NoCross-chain Swap [24, 35] Yes Yes No

2 Games theoretical framework for proving protocolsrobustness

2.1 Mechanisms and RobustnessIn a distributed protocol, players can either decide to follow the prescribed protocol or not. Incase they do not, they deviate from the protocol by choosing, for instance, a Byzantine behavior.We would like to model these situations and understand whether the players are incentivized tobe altruistic i.e., to follow the prescribed protocol. In [3] authors introduce a game theoreticalframework based on the concept of mechanism and its properties. In the following we recall andextend the framework defined in [3]. Due to space limitation detailed definitions including basicsin game theory are provided in the Appendix A.

We consider games in normal form Γ = 〈N,S , u〉 in which the set of players N correspondsto the players involved in the protocol, S = S1 ×S2 × · · · ×Sn where Si is the set of strategies(all possible behaviors) of player i and u : S → Rn is the utility function of the players.

Let us suppose that every player picks a strategy σi ∈ Si; then it is possible to compute theutility for a player i: ui(σ1, σ2, . . . , σn), which is the i-th component of function u. The goal ofthe players is to maximize their utility by choosing their strategy. Usually there is no strategythat allows every player to maximize their utility, therefore we have to consider joint strategiesσ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S . A solution concept σ ∈ S is a joint strategy such that theoutcome u(σ) pleases every player so that they have no incentive in changing their strategy σi.The most known solution concept is the Nash equilibrium, where no player has an incentive tounilaterally change strategy. For the sake of simplicity we assign utility ui(σ) = 0 for every σ ∈ Swhen the player i is indifferent between the outcome of the joint strategy σ and the outcome ofthe initial state. Analogously we assign utility ui(σ) > 0 when the outcome of the joint strategyσ corresponds to the final state provided by the protocol and ui(σ) ≤ 0 when the outcome of σis worse than the initial state. The value of the utility corresponds to the marginal utility withrespect to the initial state.

A mechanism [3] is a pair (Γ, σ) in which Γ = 〈N,S , u〉 is a game in normal form andσ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is a joint strategy. Every player i is advised to play strategyσi ∈ Si i.e., the recommended strategy σ is the prescribed protocol. The game Γ shows all thepossible strategies available to the players and it is defined by the prescribed protocol and allpossible deviations.

A mechanism (Γ, σ) is practical if σ is a Nash equilibrium of the game Γ after the iterateddeletion of weakly dominated strategies. Players have a very low incentive to play weakly dominatedstrategies because they always have available a different strategy that provides no lower outcomein any scenario.

Evaluating the robustness to deviations of a distributed protocol corresponds to identifying theproperties of the mechanism (Γ, σ). Players can decide to deviate for two different reasons. Onone hand, they can cooperate in order to find a joint strategy that provides a better outcome thanthe one given by the protocol. On the other hand, some players can behave maliciously for no

3

specific reason and bring the others to unpleasant scenarios. In order to define the robustness ofa system to the above mentioned deviations, in [3] the authors introduce a generalization of Nashequilibrium, the k-resilient equilibrium, and the property of t-immunity. In a k-resilient equilibriumthere is no coalition of k players having an incentive to simultaneously change strategy to get abetter outcome. (Γ, σ) is k-resilient mechanism if σ is a k-resilient equilibrium for Γ. The conceptof k-resilience denotes the tendency of a set of k players to cooperate to move to an equilibriumthat differs from the one prescribed. On the other hand, the concept of t-immunity guarantees notinferior utility if at most t players defect and play a different strategy that can damage the others(i.e., Byzantine behavior). A mechanism is (k, t)-robust [3] if it is k-resilient and t-immune.

The property of t-immunity [3] is too strong and difficult to be satisfied in practice since itrequires that the protocol provides the best outcome no matter which strategy a set of t playerschooses. Therefore, Brenguier [16] generalizes it by defining (t, r)-immunity, i.e., players receive atleast u(σ)− r no matter what a Byzantine coalition of size up to t does.

In the following we introduce t-weak-immunity related to a threshold, that we fix equal to zero.Since zero is the utility provided to players in their initial state, the property of t-weak-immunityguarantees at least the value of the initial state to every player.

Definition 1 (t-weak-immunity). A joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is t-weak-immune if for all T ⊆ N : |T | ≤ t, all τT ∈ ST and all i ∈ N \ T , we have ui(σ−T , τT ) ≥ 0. Amechanism (Γ, σ) is t-weak-immune if σ is t-weak-immune in the game Γ.

A player that joins a mechanism that is t-weak-immune knows that she does not suffer anyloss (i.e., outcome with negative utility) if there are at most t deviating players in the game. Amechanism is weak immune if it is t-weak-immune for all t.

2.2 Necessary and sufficient conditions for optimal resilience and weakimmunity

In the following we study the necessary and sufficient conditions for mechanisms to be optimalresilient and weak immune.

According to [3] if every strict subset of players has no incentive to change their strategy wesay that the joint strategy is strongly resilient. (Γ, σ) is a strongly resilient mechanism if σ isstrongly resilient. A mechanism (Γ, σ) is optimal resilient if it is practical and strongly resilient.The concepts of k-resiliency and practicality are strictly connected with the properties of Nashequilibria, which have been fully studied (see for example [1, 18, 25, 28]). Therefore, connectingthese two notions, through necessary and sufficient conditions, allow us to directly exploit theproperties of Nash equilibria, such as strength [1] and stability [25, 28] (see Appendix A).

Proposition 1 (strong resilience). If σ = (σ1, σ2, . . . , σi, . . . , σn) is a strong equilibrium of Γ, thenthe mechanism (Γ, σ) is strongly resilient.

Proof. A strong equilibrium is a Nash equilibrium and fulfills the property ui(σC , σ−C) ≥ ui(τC , σ−C)for all C ⊆ N , included C = N . Therefore this is true also for all C 6= N .

This property allows us to identify strongly resilient equilibria by simply looking at Paretoefficient outcomes, that characterize strong Nash equilibria. Strong Nash equilibria are easy tobe identified, but they are very rare; indeed, they do not always exist [1]. Therefore, we takeinto account stable Nash equilibria, i.e. those Nash equilibria that are more likely to be played.According to definition provided in [25], stable equilibria fulfill different properties, among whichthey survive the iterated deletion of weakly dominated strategies. The concept of stable equilibria,which is well studied in literature [25, 28] extends the concept of practical mechanism.

Proposition 2 (practicality). If σ = (σ1, σ2, . . . , σi, . . . , σn) is a stable equilibrium of Γ, then themechanism (Γ, σ) is practical.

Proof. Stable equilibria survive after the iterated deletion of weakly dominated strategies therefore,the mechanism is practical.

In [25] the authors proves that there always exists at least one stable Nash equilibrium, thatleads us to the following corollary.

4

Corollary 1. For any game Γ there is always at least one σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S suchthat the mechanism (Γ, σ) is practical.

Indeed, since for every game Γ = 〈N,S , u〉 there always exists a stable equilibrium σ ∈ S ,from Proposition 2 we have that (Γ, σ) is practical.

In the sequel we verify if protocols can be modeled with mechanisms with strong and stableNash equilibria. In case they do, the mechanisms are both strongly resilient and practical, thusoptimal resilient. If a protocol does not provide a mechanism with a strong equilibrium, it isnecessary to compute k such that k-resiliency is fulfilled. On the other hand given a generic gameΓ it is always possible to easily identify which are the practical mechanism, which always exists.

The following proposition provides a necessary and sufficient condition to determine if a mech-anism is weak immune.

Proposition 3 (weak immunity). A joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is weakimmune if and only if for all i ∈ N in the game Γi = 〈N ′,S ′, u′〉 with N ′ = i, j, S ′i = Si,S ′j = S1 ×S2 × · · · ×Si−1 ×Si+1 × · · · ×Sn, u′i = ui and u′j = −ui the best response τ ′j ∈ S′jto u′i gives outcome u′i(σi, τ ′j) ≥ 0.

Proof. Let us prove the if part. Since τ ′j is a best response to σi, by definition u′j(σi, τ ′j) ≥ u′j(σi, τ ′)for all τ ′ ∈ Sj . Therefore u′i(σi, τ ′j) ≤ u′i(σi, τ ′) and so for all τ ′ ∈ Sj we have that u′i(σi, τ ′) ≥ 0.By construction for every τ−i ∈ S−i there is one and only one τ ′ ∈ S ′j so that ui(σi, τ−i) =u′i(σi, τj). Hence we have that ui(σi, τ−i) ≥ 0 for all τ−i ∈ S−i. The proof for the only if part isanalogous, since we can find a one-to-one correspondence among strategies in S and S ′.

The principle is to fix one player i ∈ N at a time and consider all the other players as a uniqueadversarial player j that sets her strategy in order to reduce the utility of player i. The game Γi inwhich player i faces an adversarial player j belongs to a specific class of games, called two-playerzero-sum games [41], whose Nash equilibria are always in the form (v,−v) with v ∈ R. The term vis called value of the game and corresponds to the minimum value that player i is able to achieve.Proposition 3 states that a joint strategy is weak immune if and only if the best response (i.e.,the strategy producing the most favorable outcome) for the adversarial player j assigns to playeri a positive outcome v ≥ 0. This condition allows us to check the weak immunity property bylooking at only N outcomes from N games, which is more efficient than considering all the possibleoutcomes of the game Γ. We see in Section 3.3 how this condition allows us to verify the weakimmunity of a mechanism.

2.3 Composition of Games and MechanismsBlockchains systems are complex protocols designed in a modular way. In order to study therobustness of such complex protocols we analyze the robustness of the individual modules andinfer the properties of the system by composition.

We introduce therefore the notion of composition of games. Given two different games A andB, the game A B corresponds to players picking a strategy from each game and receiving asutility the sum of the utilities of the two games. The games are intended to be played separatelyand independently.

Definition 2. Given A = 〈N,SA, uA〉 and B = 〈N,SB , uB〉 two games in normal form with thesame set of playersN , two different sets of strategies SA = SAi : i ∈ N and SB = SBi : i ∈ Nand two different utility functions: uA : SA → RN and uB : SB → RN then, it is possible todefine a new game C = A B, called composition of A and B, which is characterized as follows.C = 〈N,SC , uC〉, where:

• N is the set of the players,

• SC := (sAi, sBi), sAi ∈ SAi, sBi ∈ SBi,∀i ∈ N is the set of strategies,

• uC((σAi, σBi)) := uA(σAi) + uB(σBi) is the utility function.

5

In the context of non-cooperative games linear transformations of utility functions (u′i = a·ui+bwith a ∈ R+ and b ∈ R) are considered invariant transformations since they preserve the mainproperties of the game [23]. Therefore, defining the utility function of the composition of gamesas the sum of the utility functions is equivalent to defining it for any linear combination. It ispossible to extend the definition of composition of games to pairs of games in which different setsof players are involved. Indeed, for instance if a player i is involved in game A but not in gameB, it is possible to extend game B = 〈N,SB , uB〉 to B = 〈N ′,S ′B , u′B〉 in which player i is added(N ′ = N ∪i) and she is assigned a "null" strategy (S ′B = SB×σ∅) not influencing the utilitiesof the outcomes. Formally, for all s ∈ SB and for all j ∈ N ′ \ i, u′j(s, σ∅) = uj(s), while fori ∈ N ′ we have that ui(s, σ∅) = 0. Intuitively it is possible to extend the definition of compositionof games to more than two games. In Section 3.5 we use the notation ABC to represent eithergame A (BC) or (AB)C. We do not prove the associative property of this operator, butit is intuitive that the two games are the same, except for a different strategy labelling.

The following propositions allow us to model the building blocks of complex protocols, studythe properties of the subsequent mechanisms and finally, through the composition of mechanisms,deduce the properties of the composed protocol.

Proposition 4. Let A = 〈N,SA, uA〉 and B = 〈N,SB , uB〉 be two games in normal form repre-sentation. Then, (σAi, σBi) is a Nash equilibrium for A B if and only if σAi and σBi areNash equilibria respectively for A and B.

Proof. Let us prove the if part. If σAi and σBi are Nash equilibria for A and B, then ∀j andfor any other pair of strategies for player j, σ′Aj and σ′Bj we have that:

uA(σAj , σA−j) ≥ uA(σ′Aj , σA−j) and uB(σBj , σB−j) ≥ uB(σ′Bj , σB−j)

where −j := i ∈ N : i 6= j. Hence, for any other (σ′Aj , σ′Bj), (σA−j , σB−j) it is possible to

deduce that:uAB((σAi, σBi)) := uA(σAi) + uB(σBi) ≥

≥ uA(σ′Aj , σA−j) + uB(σ′Bj , σB−j) =: uAB((σ′Aj , σ′Bj), (σA−j , σB−j))

that is, (σAi, σBi) is a Nash equilibrium for AB.Let us prove the only if part by contradiction, i.e., ∃(σAi, σBi) that is a Nash equilibrium forAB but at least one among σAi and σBi is not a Nash equilibrium for A or B. Let us supposethat σAi is not a Nash equilibrium for A: ∃j,∃σ′A : uA(σAj , σA−j) < uA(σ′Aj , σA−j) then,

uAB((σAi, σBi)) := uA(σAi) + uB(σBi) <

< uA(σ′Aj , σA−j) + uB(σBj , σB−j) =: uAB((σ′Aj , σBj), (σA−j , σB−j)

which contradicts the hypothesis that (σAi, σBi) is a Nash equilibrium for AB.

The Nash equilibria can be identified by selecting equilibria within the single games. It is notpossible to create other Nash equilibria nor to lose them in the process of composition of the games.

Proposition 5. Let A = 〈N,SA, uA〉 and B = 〈N,SB , uB〉 be two games, (A, σA) and (B, σB)two practical mechanisms. Then, (AB, σAi, σBi) is a practical mechanism.

Proof. Thanks to Proposition 4 we have that σAi, σBi is a Nash equilibrium for A B. It issufficient to prove that it survives the iterated deletion of weakly dominated strategy. Indeed,every strategy in the form (τ∗Ai, τBi) or (τAi, τ

∗Bi), where τ

∗A is weakly dominated in A and τ∗B is

weakly dominated in B for some player i, is weakly dominated by another Nash equilibrium inA B for the very same player i. The joint strategy σAi, σBi survives the iterated deletionof these weakly dominated strategies. It is now sufficient to prove that there is no other weaklydominated strategy. By contradiction we assume that there is a player i such that there exists(σAi, σBi) ∈ SAB that weakly dominates (σAi, σBi). Therefore, considering the utility u for theplayer i, for every (τA,−i, τB,−i) ∈ SAB,−i we have that:

uAB((σAi, σBi), (τA,−i, τB,−i)) ≥ uAB((σAi, σBi), (τA,−i, τB,−i)).

6

Since σAi is not dominated by σAi in the gameA, there exists τA,−i ∈ SA,−i such that uA(σAi, τA,−i) <uA(σAi, τA,−i).Analogously there exists τB,−i ∈ SB,−i such that uB(σBi, τB,−i) < uB(σBi, τB,−i).Therefore we have that:

uAB((σAi, σBi), (τA,−i, τB,−i)) < uAB((σAi, σBi), (τA,−i, τB,−i)),

which contradicts the assumption.

Proposition 5 formalizes the intuition that if two mechanisms are practical then, playing bothselected joint strategies is still a practical mechanism. Following propositions prove the resilienceand immunity of the games composition.

Proposition 6. Let A = 〈N,SA, uA〉 and B = 〈N,SB , uB〉 be two games, (A, σA) and (B, σB)two mechanisms respectively k-resilient and k′-resilient. Then, (AB, σAi, σBi) is a min(k, k′)-resilient mechanism.

Proof. We know that for all C ⊆ N with 1 ≤ |C| ≤ k, all τA,C ∈ SA,C and all i ∈ C, wehave uAi(σA,C , σA,−C) ≥ ui(τA,C , σA,−C). Analogously, for all C ′ ⊆ N with 1 ≤ |C ′| ≤ k′, allτB,C′ ∈ SB,C′ and all i ∈ C ′, we have uBi(σB,C′ , σB,−C′) ≥ ui(τB,C′ , σB,−C′). Hence, we havethat for all S ⊆ N with 1 ≤ |S| ≤ min(k, k′), all (τA,S , τB,S) ∈ SA,S ×SB,S and all i ∈ S:

uAi(σA,S , σA,−S) + uBi(σB,S , σB,−S) ≥ ui(τA,S , σA,−S) + ui(τB,S , σB,−S).

We recall that SAB,S = SA,S × SB,S , thus for all S ⊆ N with 1 ≤ |S| ≤ min(k, k′), all(τA,S , τB,S) ∈ SAB,S and all i ∈ S:

uAB,i(σA,S , σB,S, σA,−S , σB,−S) ≥ uAB,i(τA,S , τB,S, σA,−S , σB,−S).

If a mechanism is k-resilient, then the protocol is followed if there are at most k rational players.If there is more than one mechanism, the threshold on the maximum number of rational playersallowed is the minimum among the rational player numbers k, k′ in the individual mechanisms.

Proposition 7. Let A = 〈N,SA, uA〉 and B = 〈N,SB , uB〉 be two games, (A, σA) and (B, σB)two mechanisms respectively t-weak-immune and t′-weak-immune. Then, (AB, σAi, σBi) is amin(t, t′)-weak-immune mechanism.

Proof. In game A, for all T ⊆ N with |T | ≤ t, all τA,T ∈ SA,T and all i ∈ N \ T , we haveuAi(σA,−T , τA,T ) ≥ 0. In game B, for all T ⊆ N with |T | ≤ t′, all τB,T ∈ SB,T and all i ∈ N \ T ,we have uBi(σB,−T , τB,T ) ≥ 0. Therefore we have that for all T ⊆ N with 1 ≤ |T | ≤ min(t, t′), all(τA,T , τB,T ) ∈ SA,T ×SB,T and all i ∈ N \ T :

uAB,i(σA,T , σB,T , τA,−T , τB,−T ) = uAi(σA,T , τA,−T ) + uBi(σB,S , τB,−S) ≥ 0

If a player combines two mechanisms which are weak immune for respectively at most t andt′ Byzantine players, then it means that she is considering a mechanism which can provide non-negative outcomes if there are at most a number of Byzantine users equal to min(t, t)′.

3 ApplicationsIn this section we prove the effectiveness of our framework by analyzing the robustness of differentprotocols from blockchains systems. In Section 3.1 we introduce the reader to the LightningNetwork [39] (layer-2 protocol on top of Bitcoin). In Section 3.6 we analyze the side-chain Platypus[38]. In Section 3.7 we analyze a Cross-chain Swap protocol [35], which allows two users to exchangecryptoassets living in two different blockchains.

7

3.1 Lightning NetworkIn the Bitcoin blockchain transactions are collected in blocks, validated and published on thedistributed ledger [32]. Bitcoin faces a problem of scalability, in terms of speed, volume andvalue of the transactions (cf. Appendix B.1). In order to overcome these issues authors in [39]introduce a layer-2 class of protocols called Lightning Network. The latter allows users to createbidirectional payment channels to handle unlimited transactions in a private manner i.e., off-chainwithout involving the Bitcoin blockchain. Two users A and B open a channel by publishing onthe Bitcoin blockchain two transactions towards a fund F. The amounts of the transactions formthe initial balance of the channel. In Section 3.2 we analyze the protocolar module to open achannel. The fund F can send or receive cryptoassets via blockchain transactions only if bothusers sign them. Once the channel is opened, users can exchange by simply privately updating thebalance of the channel. The protocol to update the balance is discussed in Section 3.4. A furtherconstruction, called Hashed Timelock Contract (HTLC), allows users to create transactions withinthe channel that can be triggered at will. The structure of the protocol is similar to the one usedto update the balance (cf. Appendix in Section B.5). When the users decide to close the channel,two transactions are published on the Bitcoin blockchain: one from F to A and another to F to B.The value of the transactions corresponds to the ones of the latest balance. The protocol to closethe channel is presented in Section 3.3. Lightning Network allows transactions also between userswho have not opened a common channel (i.e., routed payment). Indeed, two users can performa transaction through a path of open channels, using other users as intermediate nodes. Thisprotocol is analyzed in Section 3.5.

3.2 Opening moduleIn order to open a channel, the users perform a transaction Tx towards F signed by both ofthem and they create two different commitments (C1a and C1b) that let them close the channelunilaterally (cf. Fig. 8). The protocol specifies in which order the commitments Tx, C1a and C1bhave to be signed. We formalize the protocol with a game in extensive form Γop (cf. Definition 3),represented by its game tree (cf. Fig. 9). At every node of the tree (i.e., decision step) the playerinvolved in the protocol has two actions available: either following it by signing the commitmentrequired or not following it. The initial state corresponds to having no channel opened, whilethe final state corresponds to having the channel opened. We assign null utility to the initialstate and positive utility (by convention fixed to 1) to the final state. If at any step the playersdo not follow the protocol, they get back to the initial state, with outcome (0, 0). If they dofollow at every step, they are able to open the channel, with outcome (1, 1). We denote byσop = (C1bA·, TxA·(C1a·B , TxAB) the joint strategy that corresponds to following the protocolat every node. The choice of this model is explained in Appendix B.2.

Definition 3. The opening game Γop is a game in extensive form, with two players N = A,Band 4 nodes, labeled by a number (1 is the vertex):

1. A has two actions available: C1b·· provides outcome (0, 0); C1bA· leads to node 2.

2. B has two actions available: C1a·· provides outcome (0, 0); C1a·B leads to node 3.

3. A has two actions available: Tx·· provides outcome (0, 0); TxA· leads to node 4.

4. B has two actions available: TxA· provides outcome (0, 0); TxAB provides outcome (1, 1).

The protocol is thus represented by the mechanism (Γop, σop), whose properties we analyze inthe sequel. Missing proofs and details on the game tree are provided in Appendix B.2.

Theorem 1. The mechanism (Γop, σop) is not immune.

Theorem 2. The mechanism (Γop, σop) is optimal resilient and weak immune.

Proof. The only Pareto efficient outcome is (1, 1), which is provided only by the joint strategy σop.Therefore, σop is a strong Nash equilibrium. For Proposition 1 we have that since σop is a strongequilibrium, then the mechanism is strongly resilient.

8

Both σopA and σop

B are dominant strategies respectively for A and B, because they always get abetter outcome, no matter what the other player does. Therefore σop survives after the iterateddeletion of weakly dominated strategies: the mechanism is practical. The players never receivenegative payoff therefore, if they play σop

A and σopB they always get a non-negative payoff. This

corresponds to the Definition 1 of weak immunity.

3.3 Classical and alternative closing modulesAs described in Section 3.2 both users A and B can unilaterally close the channel by publishingrespectively commitment C1a and C1b. If a user decides to unilaterally close the channel, shereceives her part of the fund after that ∆ blocks are validated on the Bitcoin blockchain, while theother user receives it immediately. The protocol recommends to close the channel by creating anew transaction, namely ES, that let the players receive their cryptoasset immediately. We modelthe situation with the following game in normal form.

Definition 4. The closing game Γcl = 〈N,S , u〉 of the channel (xA, xB) with xA, xB > 0 isa game in normal form, with two players N = A,B who have available three different purestrategies each: SA = C1aAB , N,ES and SB = C1bAB , N,ES. The value of the utility canbe found in the following payoff table.

BC1bAB N ES

C1aAB ( 12 ,

12 ) (0, 1) (0, 1)

A N (1, 0) (−1,−1) (−1,−1)ES (1, 0) (−1,−1) (1, 1)

First, we assume that the channel (xA, xB) is funded by both players i.e., xA, xB > 0. If oneof the two players has no asset involved in the channel, we have to model the situation with adegenerate game (cf. Appendix B.3), in which she can play any possible strategy. We recommendusers to never unilaterally fund the channel.

The players have three different strategies: publishing their commitment, seeking a deal tocreate a new transaction ES or just doing nothing N . We assign null utility to players who receivetheir asset after ∆ blocks, positive utility (normalized to 1) if they receive it immediately, negativeutility if they cannot redeem their cryptoassets. The full explanation of the payoff table is providedin Appendix B.3. The protocol recommends the joint strategy σcl = (ES,ES) i.e., both playersseek a deal. In the following we analyze the properties of the mechanism (Γcl, σcl) (missing proofsare reported in the Appendix B.3).

Theorem 3. Under the assumption xA > 0a or xB > 0, the mechanism (Γcl, σcl) is optimalresilient, but not weak immune.

Since the mechanism is not weak immune, it is not immune either. We thus provide an alter-native protocol that can satisfy the property of weak immunity.

Theorem 4. Under the assumption xA > 0 or xB > 0, the only weak immune mechanism is(Γcl, σ∗) with σ∗ = (C1aAB , C2aAB).

Proof. In order to identify weak immune mechanisms we apply Proposition 7. We consider playerA and the game Γcl

A in which B is the adversarial player whose utility is the opposite of player A’s.The payoff matrix of the game Γcl

A is the following.B

C1bAB N ESC1aAB ( 1

2 ,−12 ) (0, 0) (0, 0)

A N (1,−1) (−1, 1) (−1, 1)ES (1,−1) (−1, 1) (1,−1)

The only Nash equilibria of the game in pure strategies is (C1aAB , N), which provides outcome(0, 0). Since this is a zero-sum game, all the Nash equilibria provide the same outcome (v, v) wherev = 0 is the value of the game. Since the value of the game is non-negative, player A has alwaysa strategy to get at least 0. This strategy is C1aAB , which thus is the only one that player A can

9

choose in a weak immune mechanism.Analogously we can define the game Γcl

B in which A is the adversarial player, which lets us provethat C1bAB is the only weak immune strategy for player B. Therefore, (C1aAB , C1bAB) is the onlyjoint strategy that provides a weak immune mechanism.

3.4 Updating modulePerforming a transaction within a channel consists in updating its balance. Technically, the pre-vious commitments (C1a and C1b) with balance (xA, xB) are replaced by two new commitments(C2a and C2b) with different balance (x′A, x

′B). In order to prevent players from publishing old

commitments, they sign two Breach Remedy Transactions (BR1a and BR1b), that can invalidateC1a and C2b. Indeed, if any party publishes an outdated commitment the other one can retrieveall the cryptoassets in the fund. If, for instance, A publishes the outdated commitment C1a, shecan retrieve her fund xA unless B publishes BR1a before ∆ blocks are validated. The protocol toupdate the balance (cf. Fig. 10) requires the players to sign the commitments in a specific order.

We formalize the protocol with a game in extensive form Γup (cf. Definition 5), represented bythe tree in Fig. 11. The initial state corresponds to the previous balance (with thus null utility),the final state to the updated balance (with utility equal to 1). One may question that withthe updated balance one of the two party is receiving a smaller cryptoasset however, this does notconsist in receiving a lower utility since updating the balance guarantees the exchange of a differentcryptoasset which is more valuable than the one stored in the channel. We assign a negative valueto the states in which players lose their cryptoassets or part of them.

Definition 5. The updating game Γup is a game in extensive form, with two players N = A,Band 5 nodes, labeled by a number (1 is the vertex):

1. A plays. C2b·· provides outcome (0, 0); C2bA· leads to node 2.

2. B plays. C2a·· provides outcome (0, 0); C2bAB provides outcome (1, 1); C2a·B leads to node3.

3. A plays. BR1a·· provides outcome (0, 0); C2aAB provides outcome (1, 1); BR1aA· leads tonode 4.

4. B plays. BR1b·B provides outcome (1, 1); BR1b·· leads to node 5.

5. A plays. C1aAB provides outcome (−1, 1); C2aAB provides outcome (1, 1).

The protocol recommends to sign all the commitments and it is thus represented by thejoint strategy σup = (C2bA·, BR1aA·, C2aAB, C2a·B , BR1b·B). We analyze the mechanism(Γup, σup) under the assumption that it is always possible to publish a transaction within ∆ blocks,otherwise it is not possible to validate the breach remedy transactions in time. The mechanismis not immune, indeed if any user refuses to sign a commitment the players return to the originalbalance that provides lower payoff than the final balance. However, the mechanism satisfies theproperties of optimal resilience and weak immunity (missing proofs are reported in Appendix B.3).

Theorem 5. Under the assumption that it is possible to publish a transaction within ∆ blocks, themechanism (Γup, σup) is optimal resilient and weak immune, but it is not immune.

3.5 Routing moduleLightning Network provides a protocol, called Hashtime Locked Contract (HTLC), that allows tocreate transactions that can be triggered at will. The protocol for the HTLC (cf. Fig. 13) works asfollows. User A creates a pair (H,R), where H is public and R is its private key (cf. Appendix B.5for technical details). She shares with user B a commitment together with the string H. Oncethis commitment is published on the Bitcoin blockchain, user B can receive the transaction onlyif she can provide the private key R within ∆ blocks. It is easy to check that R is the privatekey of H, but it is almost impossible to retrieve R, given H. In this way, user A can trigger thetransaction whenever she wants by disclosing R to user B. The modelisation of the protocol for

10

HTLC is discussed in Appendix B.5. The protocol is represented by the mechanism (Γhtlc, σhtlc),that has the very same structure of the updating module (cf. Section 3.4) and thus satisfies optimalresilience and weak immunity, but not immunity.

The HTLC is implicated in the protocol that allows users to perform transactions also if theydo not share a common channel. Indeed, it is sufficient that among the two users there is a path ofchannels i.e., a sequence of users who two-by-two share a channel. For instance, let us suppose thatusers A and C have both opened a separate channel with a third user B. In the routed payment userB is the intermediate node. The protocol for routed payment works as follows (cf. Appendix B.6for technical details). User C creates a pair of strings (H,R) and then discloses H to user A. UserA creates an HTLC with user B locked with the public key H. Then, user B creates an HTLCwith user C locked with H. Finally, user C discloses R with user B and triggers the transaction,and so does user B with user A. In this way, user C receives the payment, user A sends it and userB gains from a channel with A what she loses from the channel with C. In practice, the value ofthe two transactions do not coincide, so that the difference consists in the fee to be provided touser B.

We formalize the protocol with a game in extensive form Γrout, whose tree is displayed in Fig. 14.The joint strategy recommended by the protocol is denoted by σrout = (HAB

A , HBCB , Y , Y, Y ).

Definition 6. The routing game Γrout is a game in extensive form, with three players N =A,B,C and 5 nodes, labeled by a number (1 is the vertex):

1. C has two actions available: either N , not sending H to A, which provides outcome (0, 0, 0),or Y , sending H to A, which leads to node 2.

2. A has two actions available: either HAB· , which provides outcome (0, 0, 0), or HAB

A , whichleads to node 3.

3. B has two actions available: either HBC· , which provides outcome (0, 0, 0), or HBC

B , whichleads to node 4.

4. C has two actions available: either N , not disclosing R to B, which provides outcome (0, 0, 0),or Y , disclosing R to B, which leads to node 5.

5. B has two actions available: eitherN , not disclosingR to A, which provides outcome (1,−1, 1)or Y , disclosing R to A, which provides outcome (1, 1, 1).

The following theorem states that HTLC mechanism is not immune but is weak immune andoptimal resilient (proofs are reported in Appendix B.6).

Theorem 6. Under the assumption that in both HTLCs the transactions can be triggered, themechanism (Γrout, σrout) is optimal resilient and weak immune but it is not immune.

The HTLCs introduced in the protocol work independently from the routing protocol. Wecan model them with two different mechanisms: (ΓAB , σAB) for HAB and (ΓBC , σBC) for HBC .The HTLCs belong to two different channels, so they are independent one from another. Theassumption from the routing protocol is that in both HTLCs the transactions can be triggered, butthis is true only if every transaction can be published within ∆ blocks (cf. Appendix B.5). Underthis assumption, the routed payment is represented by three independent protocols (Γrout, σrout),(ΓAB , σAB), and (ΓBC , σBC). Therefore we analyze the properties of its mechanism by definingthe composition of the three games (Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ).

Theorem 7. Under the assumption that every transaction can be published within ∆ blocks, themechanism (Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ) is optimal resilient and weak immune.

Proof. The operator composition (cf. Definition 2) is invariant with respect the properties ofthe mechanisms. Thanks to Theorems 6 and 16 we have that (Γrout, σrout), (ΓAB , σAB) and(ΓBC , σBC) are practical. Therefore, with Proposition 5 we have that their composition (Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ) is practical.Analogously, thanks to Theorems 6 and 16 we have that every single mechanism is k-resilient forall k and t-weak-immune for all t. Propositions 6 and 7 allow us to say that the composition(Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ) is k-resilient for all k and t-weak-immune for all t i.e., itis strongly resilient and weak immune.

11

3.6 Side-chainA different solution to overcome the scalability and privacy problems of blockchains is offeredby Platypus [38], a protocol that allows a group of users to create a childchain (sidechain) thatcan handle off chain transactions without the need of synchrony among peers. In this sectionwe consider the protocol to create a Platypus chain, described in Fig. 16. The protocol let thechildchain validators broadcast transactions to the peers until the number of validators that haveconfirmed the transactions overcome a defined threshold.

It is possible to model this protocol with a game in extensive form Γcr, in which players are splitinto two categories: normal users and the validators. Users’ utility is positive if their transactionsare successfully published and it is negative if a different wrong transaction is validated instead ofhers.

Definition 7. The creation game is a game Γcr in extensive form, where N = U ∪ V is the set ofplayers, with |N | = mv. Every phase corresponds to a node of the tree, at which players play atthe same time.

• Phase 1; only the player p0 is involved. The player p0 has two actions: either complete it Yor not N . If she does not, the outcome is 0 for all players.

• Phase 2; every player within normal users play at the same time. Everyone dispose of thesame two actions: broadcasting their message Y or not N . If the message is not broadcastfor player i, her utility is always 0.

• Phase 3; the validators can choose within a set of actions au with u ⊆ U i.e., they can validateall the messages for the users within the set u. The cardinality of the set of their actions isequal to 2|U |. The utility for the validators corresponds to the number of valid transactionswhich are broadcast.

• Phase 4; the validators can choose within a set of actions in the form (bt, st′), where t andt′ are any subset of transactions broadcast in Phase 3. The action b consists in broadcastingthe transactions belonging to the set t until b2mv/3c+ 1 validators receive it, while s meansto send the transactions in t′.

We define the mechanism (Γcr, σcr), where σcr ∈ S is the strategy of following the protocol i.e.,for normal users u the strategy is σcr

u = Y , while for validators v the strategy is σcrv = (au∗ , bt∗ , st∗),

where u∗ is the set of users who send a message and t∗ is the set of transactions broadcast in Phase3. We thus analyze the properties of the mechanism (detailed proofs are provided in Appendix B.7).

Theorem 8. The mechanism (Γcr, σcr) is optimal resilient and bmv

3 c-weak-immune, but it is nott-immune for any t.

In [38] it is proved that no wrong transaction can be validated if there are at most bmv

3 ccorrupted players. This property cannot be expressed with the concept of immunity, which is toostrong; to capture this information we exploit the definition of t-weak-immunity (cf. Definition 1).Within our model, the upper bound on the number of corrupted players means that no negativepayoff is given to the players under the hypothesis that there are at most bmv

3 c Byzantine nodesi.e., that the mechanism is bmv

3 c-weak-immune.

3.7 Cross-chain swapIn this section we analyze the protocol introduced in [35], that allows two users to swap assetsbelonging to two different blockchains, which do not communicate with each other. In [24] theauthors introduce a theoretical framework proving that the protocol is correct for those playerswho are altruistic, no matter what the others do. In the following we prove that the Cross-chainSwap protocol [35] satisfies the (k, t)-weak-robustness.

In this protocol users publish two different transactions on two different blockchains (e.g.,Altcoin and Bitcoin) that can be triggered with the disclosure of a single private key x (cf. Ap-pendix B.8 for technical details). The transactions have to be published within two different timeintervals, ∆1 and ∆2, depending on the corresponding blockchain. In [24] the relationship between

12

∆1 and ∆2 is provided for a generic cross-chain swap protocol. In the 2-players context of [35],the condition proved in [24] results in ∆1 ≥ 2∆2. Both works assume that the transactions can bepublished within the time interval [0,min(∆1,∆2)] = [0,∆2].

Since the two blokchains are independent we model the protocol with two different mechanisms(G1, σ1) and (G2, σ2) (cf. Definitions 8 and 9), that represent the actions that the players performin each blockchain. More details about the choice of the payoffs are provided in Appendix B.8.

Definition 8. The Bitcoin game is an extensive form game G1 with 2 players N = A,B and 5nodes (1 is the vertex):

1. A can either (Y ) create TX1 and TX2, that leads to node 2 or (N) not do it, with outcome(0, 0).

2. B can either (Y ) sign TX2, that leads to node 3, or (N) refuse to do it, with outcome (0, 0).

3. A can either (N) do nothing, with thus outcome (0, 0), or (Y ) publish TX1 on the Bitcoinblockchain, that leads to node 4.

4. Both A and B have available two actions: either (Y ) publish TX2 before that x is revealedor (N) not do it. If any of the two users does so, the outcome is (0, 0). Otherwise, A revealsx and (N,N) leads to node 5.

5. B can either (Y ) publish x on the Bitcoin blockhain or (N) not do it. If she does, the outcomeis (1, 1). If she does not, the outcome is (1,−1).

The joint strategy that corresponds to following the protocol is σ1 = (Y, Y,N, Y,N, Y ).

Definition 9. The Altcoin game is an extensive form game G2 with 2 players N = A,B and 5nodes (1 is the vertex):

1. B can either (Y ) create TX3 and TX4, or (N) do nothing. The action Y leads to node 2,while the action N leads to the outcome (0, 0).

2. A can either (Y ) sign TX4, that leads to node 3, or (N) refuse to do it, with outcome (0, 0).

3. B can either (N) do nothing, with thus outcome (0, 0), or (Y ) publish TX3 on the Altcoinblockchain, that leads to node 4.

4. Both A and B have available two actions: either (Y ) publish TX4 before that x is revealedor (N) not do it. If any of the two does so, the outcome is (0, 0). Otherwise, A reveals x and(N,N) leads to node 5.

5. A can either (Y ) publish x on the Altcoin blockhain or (N) not doing it. If she does, theoutcome is (1, 0). If she does not, the outcome is (0, 0).

The joint strategy that corresponds to following the protocol is σ2 = (Y,N, Y , Y, Y,N).Since the two blockchains are independent, we consider the composition of the two games

(G1G2, σ1i, σ2i) that represents the full protocol and analyze its properties (detailed proofs arereported in Appendix B.8).

Theorem 9. Under the assumption that any transaction can be published within a time interval[0,∆2], the mechanism (G1 G2, σ1i, σ2i) is optimal resilient and weak immune, but it is notimmune.

The mechanism is not immune, indeed it is sufficient that one player does not create or publisha transaction to stop the protocol. Under the assumption that any transaction can be publishedwithin a time interval [0,∆2] the mechanism is optimal resilient and weak immune.

13

4 ConclusionsWe propose the first generic game theoretical framework that models the robustness of blockchainsprotocols in terms of resilience to coalitions of rational players and immunity to Byzantine behav-iors. We identify the necessary and sufficient conditions for a protocol to be robust and developa methodology to prove it. Furthermore, we characterize the robustness of complex protocols viathe composition of simpler robust building blocks.

The effectiveness of our framework is demonstrated by its capability to capture the robustnessof various blockchain protocols (e.g. layer-2, side-chains, cross-chain protocols). As future work weintend to extend our study to the whole blockchains environment including proof-* and consensus-based protocols.

References[1] Coalition-proof nash equilibria i. concepts. Journal of Economic Theory, 42(1):1 – 12, 1987.

[2] Ittai Abraham, Lorenzo Alvisi, and Joseph Halpern. Distributed computing meets gametheory: Combining insights from two fields. SIGACT News, 42:69–76, 06 2011.

[3] Ittai Abraham, Danny Dolev, Rica Gonen, and Joe Halpern. Distributed computing meetsgame theory: Robust mechanisms for rational secret sharing and multiparty computation.New York, NY, USA, 2006. Association for Computing Machinery.

[4] Ittai Abraham, Danny Dolev, and Joseph Y. Halpern. Distributed protocols for leader election:A game-theoretic perspective. 7(1), 2019.

[5] Amitanand S. Aiyer, Lorenzo Alvisi, Allen Clement, Michael Dahlin, Jean-Philippe Martin,and Carl Porth. Bar fault tolerance for cooperative services. In SOSP ’05, 2005.

[6] Yackolley Amoussou-Guenou, Bruno Biais, Maria Potop-Butucaru, and Sara TucciPiergiovanni. Rationals vs byzantines in consensus-based blockchains. to ap-pear AAMAS 2020, abs/1902.07895, 2019. URL: http://arxiv.org/abs/1902.07895,http://arxiv.org/abs/1902.07895 arXiv:1902.07895.

[7] Elli Andoulaki, Matthias Jarkeand, and Jean-Jacques Quisquater. Introduction to the specialtheme: Blockchain engineering. ERCIM NEWS, (110):6,7, 2017.

[8] Georgia Avarikioti, Eleftherios Kokoris Kogias, and Roger Wattenhofer. Brick: Asynchronousstate channels. arXiv preprint arXiv:1905.11360, 2019.

[9] Georgia Avarikioti, Felix Laufenberg, Jakub Sliwinski, Yuyi Wang, and Roger Wattenhofer.Towards secure and efficient payment channels. ArXiv, abs/1811.12740, 2018.

[10] Georgia Avarikioti, Rolf Scheuner, and Roger Wattenhofer. Payment networks as creationgames. In Cristina Pérez-Solà, Guillermo Navarro-Arribas, Alex Biryukov, and JoaquínGarcía-Alfaro, editors, Data Privacy Management, Cryptocurrencies and Blockchain Tech-nology - ESORICS 2019 International Workshops, DPM 2019 and CBT 2019, Luxembourg,September 26-27, 2019, Proceedings, volume 11737 of Lecture Notes in Computer Science,pages 195–210. Springer, 2019.

[11] Christian Badertscher, Juan Garay, Ueli Maurer, Daniel Tschudi, and Vassilis Zikas. Butwhy does it work? a rational protocol design treatment of bitcoin. In Annual internationalconference on the theory and applications of cryptographic techniques, pages 34–65. Springer,2018.

[12] Marianna Belotti, Nikola Božić, Guy Pujolle, and Stefano Secci. A vademecum on blockchaintechnologies: When, which, and how. IEEE Communications Surveys & Tutorials, 21(4):3796–3838, 2019.

14

[13] Marianna Belotti, Stefano Moretti, Maria Potop-Butucaru, and Stefano Secci. Game the-oretical analysis of Atomic Cross-Chain Swaps. In 40th IEEE International Conferenceon Distributed Computing Systems (ICDCS), Singapore, Singapore, December 2020. URL:https://hal.archives-ouvertes.fr/hal-02414356.

[14] Iddo Bentov, Pavel Hubácek, Tal Moran, and Asaf Nadler. Tortoise and hares consensus: themeshcash framework for incentive-compatible, scalable cryptocurrencies. IACR CryptologyePrint Archive, 2017:300, 2017.

[15] Michael Borkowski, Daniel McDonald, Christoph Ritzer, and Stefan Schulte. Towards atomiccross-chain token transfers: State of the art and open questions within tast. DistributedSystems Group TU Wien (Technische Universit at Wien), Report, 2018.

[16] Romain Brenguier. Robust equilibria in mean-payoff games. In Bart Jacobs and ChristofLöding, editors, Foundations of Software Science and Computation Structures, pages 217–233, Berlin, Heidelberg, 2016. Springer Berlin Heidelberg.

[17] Christian Cachin and Marko Vukolić. Blockchain consensus protocols in the wild. arXivpreprint arXiv:1707.01873, 2017.

[18] Altannar Chinchuluun, Panos Pardalos, Athanasios Migdalas, and Leonidas Pitsoulis. ParetoOptimality, Game Theory And Equilibria, volume 17. 01 2008.

[19] Ittay Eyal and Emin Gün Sirer. Majority is not enough: Bitcoin mining is vulnerable. InInternational conference on financial cryptography and data security, pages 436–454. Springer,2014.

[20] Juan Garay and Aggelos Kiayias. Sok: A consensus taxonomy in the blockchain era. InCryptographersâĂŹ Track at the RSA Conference, pages 284–318. Springer, 2020.

[21] Vincent Gramoli. From blockchain consensus back to byzantine consensus. Future GenerationComputer Systems, 2017.

[22] Lewis Gudgeon, Pedro Moreno-Sanchez, Stefanie Roos, Patrick McCorry, and Arthur Gervais.Sok: Off the chain transactions. IACR Cryptology ePrint Archive, 2019:360, 2019.

[23] Peter Hammond. Utility Invariance in Non-Cooperative Games, volume 38, pages 31–50. 062006.

[24] Maurice Herlihy. Atomic cross-chain swaps. In Proceedings of the 2018 ACM symposium onprinciples of distributed computing, pages 245–254, 2018.

[25] John Hillas. On the definition of the strategic stability of equilibria. Econometrica, 58(6):1365–1390, 1990. URL: http://www.jstor.org/stable/2938320.

[26] Aggelos Kiayias, Elias Koutsoupias, Maria Kyropoulou, and Yiannis Tselekounis. Blockchainmining games. In Proceedings of the 2016 ACM Conference on Economics and Computation,pages 365–382, 2016.

[27] Aggelos Kiayias and Aikaterini-Panagiota Stouka. Coalition-safe equilibria with virtual pay-offs. arXiv preprint arXiv:2001.00047, 2019.

[28] Elon Kohlberg and Jean-Francois Mertens. On the strategic stability of equilibria. Economet-rica: Journal of the Econometric Society, pages 1003–1037, 1986.

[29] Harold William Kuhn and Albert William Tucker. Contributions to the Theory of Games,volume 2. Princeton University Press, 1953.

[30] Z. Liu, N. C. Luong, W. Wang, D. Niyato, P. Wang, Y. Liang, and D. I. Kim. A survey onblockchain: A game theoretical perspective. IEEE Access, 7:47615–47643, 2019.

[31] George J Mailath. Do people play nash equilibrium? lessons from evolutionary game theory.Journal of Economic Literature, 36(3):1347–1374, 1998.

15

[32] Satoshi Nakamoto. A peer-to-peer electronic cash system. 2008.

[33] John F. Nash. Equilibrium points in n-person games. 36(1):48–49, 1950.

[34] Christopher Natoli, Jiangshan Yu, Vincent Gramoli, and Paulo Esteves-Verissimo. Decon-structing blockchains: A comprehensive survey on consensus, membership and structure.arXiv preprint arXiv:1908.08316, 2019.

[35] Tier Nolan. Re: Alt chains and atomic transfers. accessed on January 10, 2020. https://bitcointalk.org/index.php?topic=193281.msg2224949#msg2224949.

[36] Martin J Osborne and Ariel Rubinstein. A course in game theory. MIT press, 1994.

[37] Rafael Pass and Elaine Shi. Fruitchains: A fair blockchain. In Proceedings of the ACMSymposium on Principles of Distributed Computing, pages 315–324, 2017.

[38] Alejandro Ranchal Pedrosa and Vincent Gramoli. Platypus: Offchain protocol without syn-chrony. In Aris Gkoulalas-Divanis, Mirco Marchetti, and Dimiter R. Avresky, editors, 18thIEEE International Symposium on Network Computing and Applications, NCA 2019, Cam-bridge, MA, USA, September 26-28, 2019, pages 1–8. IEEE, 2019.

[39] Joseph Poon and Thaddeus Dryja. The bitcoin lightning network: Scalable off-chain instantpayments, 2016.

[40] Itay Tsabary and Ittay Eyal. The gap game. In Proceedings of the 2018 ACM SIGSACconference on Computer and Communications Security, pages 713–728, 2018.

[41] John Von Neumann, Oskar Morgenstern, and Harold William Kuhn. Theory of games andeconomic behavior (commemorative edition). Princeton university press, 2007.

[42] Zibin Zheng, Shaoan Xie, Hong-Ning Dai, Xiangping Chen, and Huaimin Wang. Blockchainchallenges and opportunities: A survey. International Journal of Web and Grid Services,14(4):352–375, 2018.

16

A Appendix: Games, mechanisms and robustness

A.1 Preliminaries on gamesThroughout the text we consider processes in which multiple decision-makers are involved. Weintroduce game theoretical concepts in order to study the optimal decision-making process. Thebasic idea of a game is to capture a set of players which act in sequence. Its graphic representationis called game tree. Formally, the theoretical concept which models this situation is the extensiveform game [29].

Definition 10 (extensive form game). An extensive form game with perfect information is a tupleΓ = 〈N,T, P, (Ah)h∈V , (ui)i∈N 〉, where:

• N is the set of players.

• T = (V,E) is a directed rooted tree.

• Z ⊂ V is the set of terminal nodes.

• P : V \ Z → N is a function assigning to each non-end node a player in N . The function Pidentifies at which nodes a player acts.

• Ah = (xh, xi) ∈ E for each node h ∈ V \ Z is the set of edges going from node h to someother nodes and represents the set of actions at node h of the tree T .

• Ωi = si : V \Z → A1 ×A2 × . . . Ah × · · · ×AH , h : P (h) = i is the set of pure strategies ofplayer i. Every pure strategy of player i is a function that assigns an action a ∈ Ah to everynode h ∈ V \ Z in which player i is involved (formally, h : P (h) = i).

• Si = σi : Ωi → [0, 1],∑

s∈Ωiσi(s) = 1 is the set of mixed strategies of player i. A mixed

strategy is a probabily distribution over the set of pure strategies of player i.

• ui : Z → R is the utility function for player i ∈ N .

Fig. 1 represents a game in extensive form Γ with players N = A,B and non-terminal nodesV \ Z = a, b, c. The structure and the notation of a game in extensive form is not practical forthe purpose of the analysis. Every game in extensive form can be rewritten in a more compactway, called normal form representation [29], as shown in Fig. 2.

Figure 1: Game Γ in extensive form.

17

Definition 11 (game in a normal form). A game in a normal form representation is identified bya tuple Γ = 〈N,S , u〉, where N is a finite set of n players, S = S1 ×S2 × · · · ×Sn where Si isthe set of strategies of player i and u : S → Rn is the utility function of the players.

Every player i has available a set of strategies Si. Let us suppose that every player picksa strategy σi ∈ Si; then it is possible to compute the utility for a player i: ui(σ1, σ2, . . . , σn),which is the i-th component of the function u. Since they are rational agents, the goal of theplayers is to maximize their utility by choosing their strategy. Usually there is no strategy thatallows every player to maximize their utility, therefore we have to consider joint strategies σ =(σ1, σ2, . . . , σi, . . . , σn) ∈ S . Each player i chooses a strategy σi and the outcome u(σ) pleasesevery player, so that they do not want to change their strategy. We introduce some solutionconcepts of a game, that consists of sets of joint strategies.

Figure 2: Game Γ in normal form.

Definition 12 (joint strategy). A joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is a Nashequilibrium if:

ui(σ1, σ2, . . . , σi, . . . , σn) ≥ ui(σ1, σ2, . . . , τi, . . . , σn)

for every player i and for every τi ∈ Si.

The definition of Nash equilibrium is based on the concept of best response, i.e., the strategyσi that maximizes the utility of a player i, given the strategies of the other players σ−i. In a Nashequilibrium no player has an incentive to unilaterally change its strategy since utilities do notincrease. Nash [33] proves that every game in normal form admits at least one Nash equilibrium.Nash equilibria are reasonable solution concepts since they represent a scenario in which nobody istempted to unilaterally change her own strategy. However, the set of Nash equilibria is not alwaysa singleton, it might happen indeed that there is more than one equilibrium. Here below someproperties of Nash equilibria are introduced.

Definition 13 (strong Nash equilibrium [1]). A Nash equilibrium σ = (σ1, σ2, . . . , σi, . . . , σn)∈ S is said to be strong if and only if for all C ⊆ N , all τC ∈ SC , ∃i ∈ C such that ui(σC , σ−C) ≥ui(σC , τ−C).

In [1] the authors prove that the outcome of every strong Nash equilibrium is Pareto efficienti.e., no player can improve her outcome without reducing the outcome of another players. StrongNash equilibria are easy to be identified, but they do not always exist.

Definition 14 (stable Nash equilibrium [25]). A Nash equilibrium σ = (σ1, σ2, . . . , σi, . . . , σn)∈ S is said to be stable if it belongs to the set S which is minimal with respect to the following

18

property: for every ε > 0 there exists δ > 0 such that any upper-hemicontinuous compact convexvalued correspondence pointwise within Hausdorff distance δ of the best response correspondenceof Γ has a fixed point within ε of S.

The concept of stable equilibria was introduced in [28] in order to exclude less meaningfulNash equilibria i.e., those equilibria that are less resilient against small changes. After [28], severalother definitions of stability were introduced. We cite the definition provided in [25], which fulfillssome useful properties. One of these states that there always exists a stable Nash equilibrium.Moreover, stable Nash equilibria survive after the iterated deletion of weakly dominated strategies,i.e., those strategies σi ∈ Si that perform as well as or worse than another strategy σ′i ∈ Si nomatter which strategy the other players choose (formally, we have that ui(σi, τ−i) ≤ ui(σ′i, τ−i) forall τ−i ∈ S−i). In the process of iterated deletion [36] weakly dominated strategies are excludedfrom the set of strategies available to players and the set of Nash equilibria is recomputed.

A.2 Mechanisms and RobustnessIn a distributed protocol, agents who run it can either decide to follow the prescribed protocolor not. In case they do not, they deviate from the prescribed protocol by choosing a byzantinebehaviour. We would like to model these situations and understand whether the players areincentivized to follow the given advice. In [3] the authors introduce a game theoretical frameworkbased on the concept of mechanism and its properties. In the following we recall and extend theframework of [3].

A game is a tuple Γ = 〈N,S , u〉 in which the set of players N corresponds to the agents involvedin a protocol. We map all the possible behaviours of the players and define them as their strategiesS . Following the protocol corresponds to one and only strategy σi ∈ Si for every player i. Forthe sake of simplicity we assign utility ui(s) = 0 for every s ∈ S when the player i is indifferentbetween the outcome of the joint strategy s and the outcome of the initial state. Analogously weassign utility ui(s) > 0 when the outcome of the joint strategy s corresponds to the final stateprovided by the protocol and ui(s) ≤ 0 when the outcome of s is worse than the initial state. Thevalue of the utility corresponds to the marginal utility with respect to the initial state.

Given the joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S that corresponds to every player ifollowing the protocol by playing strategy σi we define the mechanism (Γ, σ).

Definition 15 (mechanism [3]). A mechanism is a pair (Γ, σ) in which Γ = 〈N,S , u〉 is a gameand σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is a joint strategy.

Every player is advised to play strategy σi ∈ Si. The game Γ shows all the possible strategiesavailable to the players.

Players have a very low incentive to play weakly dominated strategies (cf. Definition 14) sincethey always have available a different strategy that provides no lower outcome in any scenario. Apractical mechanism, formally defined below, ensures that these strategies are not included.

Definition 16 (practical mechanism [3]). Amechanism (Γ, σ) is practical if σ is a Nash equilibriumof the game Γ after the iterated deletion of weakly dominated strategies.

Evaluating the resilience of a distributed protocol to Byzantine behaviors corresponds to iden-tifying the properties of the mechanism (Γ, σ). Users can decide to choose a Byzantine behaviourfor two different reasons. On one hand they can cooperate in order to find a joint strategy thatprovides a better outcome than the one given by the protocol. A mechanism which is optimalresilient, i.e., practical (cf. Definition 16) and strongly resilient (cf. Definition 17), discouragesthese behaviours. On the other hand some agents can behave maliciously for any reason and bringother players to unpleasant scenarios. In [3] a mechanism is t-immune to this behavior if it pro-vides not inferior utility in the case when at most t players play a strategy different from the oneprescribed by the mechanism. This condition has been already identified as beeing too strong inpractice therefore we introduce the property of t-weak-immunity (cf. Definition 1), which meansthat a player i who chooses the prescribed strategy σi ∈ Si is never lead to a worse state than theinitial one, under the hypothesis that at most t players are byzantine.

In [3] the authors introduce a geleralization of Nash equilibrium, k-resilient equilibrium definedformally below. The definition is a generalization of the concept of Nash equilibrium, which can

19

be considered as a 1-resilient equilibrium. Indeed, in a Nash equilibrium no coalition formed by asingle player has an incentive to change strategy. In a k-resilient equilibrium there is no coalitionof k players that have an incentive to simultaneously change strategy to get a better outcome.Given a coalition of rational players C ⊆ N of size up to k : 1 ≤ k < |N |, the joint strategy σ ∈ Sand any other of their joint strategies τC ∈ SC we can define k-resiliency as follows.

Definition 17 (k-resilient equilibrium [3]). A joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S isa k-resilient equilibrium if for all C ⊆ N with 1 ≤ |C| ≤ k, all τC ∈ SC and all i ∈ C, we haveui(σC , σ−C) ≥ ui(τC , σ−C).

We say that a mechanism (Γ, σ) is k-resilient if σ is a k-resilient equilibrium for Γ.If every strict subset of the players has no incentive to change strategy we say that the joint

strategy is strongly resilient (formally, if it is k-resilient for all k ≤ n−1). We say that a mechanism(Γ, σ) is strongly resilient if σ is strongly resilient.

A mechanism (Γ, σ) is optimal resilient if it is practical and strongly resilient.One of the basic assumption of game theory is that agents are rational. However, in real

applications it might happen that agents behave irrationally. There are different reasons for this.Agents might have some limits that do not let them identify and choose rational behaviours. Wealways work under the assumptions that everything works, but there might be some technicalfailures that make some actions inaccessible to players. Lastly, the game might be not independentfrom other games. For instance, some agents might be subject to bribes which entice them to playan irrational strategy. Therefore it is interesting to study strategies that are immune at this typeof behaviors. A joint strategy is t-immune if it provides not inferior utility in the case when atmost t players play a strategy different from the one prescribed by the mechanism.

Definition 18 (t-immunity [3]). A joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is t-immuneif for all T ⊆ N with |T | ≤ t, all τT ∈ ST and all i ∈ N \ T , we have ui(σ−T , τT ) ≥ ui(σ). Amechanism (Γ, σ) is t-immune if σ is t-immune in the game Γ.

The concept of k-resilience denotes the tendency of a set of k players to cooperate to move toa equilibrium different from the one prescribed. On the other hand, the concept of t-immunityevaluates the risk of a set of t players to defect and play a different strategy that can damage theother players. The two concepts are complementary In [3] the authors introduced the notion of(k, t)-robust mechanism. A mechanism is (k, t)-robust if it is k-resilient and t-immune.

The property of t-immunity (cf. Definition 18) is too strong and difficult to be verified inpractice because it requires that the protocol provided the best outcome no matter which strategya set of t players choose. In [16] the author generalizes it with the definition of (t, r)-immunity, i.e.,that players receive at least u(σ)−r no matter what the other players do. For our purposes we needa more specific definition, that is valid for all players and that is related to a threshold, that wefix equal to zero. Since zero is the utility provided to players in their initial state, the property ofimmunity corresponds to guaranteeing at least the value of the initial state to every player. Givena coalition of Byzantine players T ⊆ N of size up to t : 1 ≤ t < |N |, their joint strategy τT ∈ ST

and the set of strategies σ−T of altruistic players i ∈ N \ T we can define t-weak-immunity asfollows.

Definition 19 (t-weak-immunity). A joint strategy σ = (σ1, σ2, . . . , σi, . . . , σn) ∈ S is t-weak-immune if for all T ⊆ N with |T | ≤ t, all τT ∈ ST and all i ∈ N \ T , we have ui(σ−T , τT ) ≥ 0. Amechanism (Γ, σ) is t-weak-immune if σ is t-weak-immune in the game Γ.

A player that joins a mechanism that is t-weak-immune knows that she does not suffer anyloss (i.e., outcome with negative utility) if there are at most t Byzantine players in the game.Under the assumption that a protocol provides positive outcomes, a t-immune strategy is alwayst-weak-immune. As the denomination might suggest, this new property is weaker. Formally, itis possible to consider it as one of its generalizations. Indeed, if we consider the equivalent gameΓ′ = 〈N,S , u′〉 with u′ = u−u(σ), the definition of t-immunity and t-weak-immunity are identical.We define as weak immune a joint strategy that is t-weak-immune for every t.

In sections 2.2 we provide necessary and sufficient conditions to prove that a mechanism satisfiesthe property of optimal resilience and t-weak-immunity.

20

Finally, we have to take into account that players run complex protocols composed of a setmodules. We introduce in Section 2.3 the operator composition of games (cf. Definition 2), i.e.,the game that corresponds to different run at the same time by the same players. We prove thatthe properties above introduced are invariant with respect to this operator, i.e., if two protocolsare independent one from another they preserve their properties when played at the same time.

B Applications

B.1 Lightning NetworkIn the blockchain systems transactions are collected in blocks, validated and published on thedistributed ledger. The most known of them, Bitcoin, is based on a Proof-of-Work system thatvalidates blocks of transactions and chains them one to another [32]. Bitcoin faces a problem ofscalability, in terms of speed, volume and value of the transactions. A transaction is confirmedonly once the block to which it belongs is part of a chain with at least D blocks in front of it (underthe convention set by the Bitcoin protocol D = 6). On average a new block is validated every Tminutes (within Bitcoin, T = 10), thus it takes around T · D = 60 minutes for a transaction tobe confirmed, a value that cannot be reduced. Moreover, the number of transactions in a block islimited. Bitcoin cannot bear a sudden upsurge in volume of transactions. Since not all the requestsfor transactions can be included in a block, some of them are prioritised. The criterion used toorder the transactions is the value of the fee that a user pays to the mining pool who validates theblock. Therefore performing a lot of transactions on the network can be expensive, since a lot offees have to be paid.

In order to overcome this issue a layer-2 class of protocols called Lightning Network is introduced[39]. Lightning Network allows users to create bidirectional payment channels to handle unlimitedtransactions privately, i.e., without involving the Bitcoin blockchain. Two users A and B open achannel by publishing on the Bitcoin blockchain two transactions towards a fund F. The amountsof the transactions form the initial balance. In Section 3.2 we analyze the protocol to open achannel.

Figure 3: A and B open a channel.

Once the channel is open, they can perform transactions by simply privately updating itsbalance. The protocol to update the balance is discussed in Section 3.4.

As soon as A and B are no more interested in exchanging bitcoins they decide to close thechannel. Two transactions are published on the Bitcoin blockchain: one from F to A and anotherto F to B. The value of the transactions corresponds to the ones of the latest balance. Theprotocol to close the channel is presented in Section 3.3. Lightning Network allows transactionsalso between users who have not opened a common channel (routed payment). Indeed, two userscan perform a transaction through a path of open channels, using other users as intermediatenodes. The protocol is analyzed in Section 3.5. In Section B.5 a further construction is introduced,called Hashed Timelock Contract (HTLC), which stands at the basis of the protocol. In the publicBitcoin blockchain every transaction is signed by the sender. In the Lightning Network everyoperation is identified by a commitment C which must be signed by two users, let us say A andB. In the following sections we use the following notations: C·· when the commitment is signed by

21

Figure 4: A and B privately update the balance of the channel.

nobody; CA· when the commitment is signed only by user A; C·B when the commitment is signedonly by user B; CAB when the commitment is signed by both users, this is the only case in whichthe commitment C is valid.

In practice, the channel consists of a user, let us say F. Every transaction from and to F mustbe signed by both users A and B.

Figure 5: A path of channels between users A and D.

Figure 6: A sends 5 B to D through nodes B and C.

22

Figure 7: All the balances are updated.

B.2 Opening moduleInformally, the protocol asks the users to fund the channel F with two different transactions,respectively valued xA and xB , and to create two different commitments that allow them to publisha transaction that makes them close the channel unilaterally. Formally, the protocol involves thefollowing steps (cf. Fig. 8):

1. A creates a transaction C1b that allows F to send xA to A and to send xB to B. B is able tospend xB only after that ∆ blocks are validated (in [39] ∆ = 1000). A signs C1b and sendsit to B.

2. B creates a transaction C1a that allows F to send xA to A and to send xB to B. A is able tospend xA only after that ∆ blocks are validated. B signs C1a and sends it to B.

3. A creates a transaction Tx that makes A send xA to F and B send xB to F. A signs Tx andsends it to B.

4. B signs Tx and publishes it on the Bitcoin blockchain.

If a user decides to close the channel unilaterally, she receives her part of funds after a certaininterval of time, while the other user receives it immediately.

We formalise the protocol with the following game in extensive form (cf. Fig. 9). The initialstate corresponds to having no channel opened, while the final state corresponds to having thechannel opened. We assign null utility to the initial state and positive utility (normalised to 1) tothe final state.

Definition 20. The opening game Γop is a game in extensive form, with two players N = A,Band 4 nodes, labeled by a number (1 is the vertex):

1. A has two actions available: C1b··, which provides outcome (0, 0); C1bA·, which leads to node2.

2. B has two actions available: C1a··, which provides outcome (0, 0); C1a·B , which leads tonode 3.

3. A has two actions available: Tx··, which provides outcome (0, 0); TxA·, which leads to node4.

4. B has two actions available: TxA·, which provides outcome (0, 0); TxAB , which providesoutcome (1, 1).

At every node the player involved in the protocol have two actions available: either follow it ornot follow it. If at any step they do not follow it, they get back to the initial state, with outcome(0, 0). If they do at every step, they are able to open the channel, with outcome (0, 0). The jointstrategy recommended by the protocol is σop = (C1bA·, TxA·, (C1a·B , TxAB), in which theactions are played respectively at nodes (1, 3, 2, 4).

23

Figure 8: Scheme of the commitments for the opening of a channel [39].

Theorem 10. The mechanism (Γop, σop) is not immune.

Proof. Since we are in a two-player setting, a mechanism is immune (cf. Definiton 18) if it is1-immune, i.e. if both players receive no lower payoff than u(σop) = (1, 1), no matter whatthe other player chooses. A counterexample is B deviating from σop

B = C1a·B , TxAB to τB =C1a··, TxAB, i.e. B refusing to signing C1a at step 2. For player A the outcome of uA(σop

A , τB) =0 < 1 = u(σop).

Theorem 11. The mechanism (Γop, σop) is optimal resilient and weak immune.

Proof. The only Pareto efficient outcome is (1, 1), which is provided only by the joint strategy σop.Therefore σop is a strong Nash equilibrium. For Proposition 1 we have that since σop is a strongequilibrium, then the mechanism is strongly resilient.Both σop

A and σopB are dominant strategies respectively for A and B, because they always get a

better outcome, no matter what the other player does. Therefore σop survives after the iterateddeletion of weakly dominated strategies: the mechanism is practical.The players never receive negative payoff, therefore if they play σop

A and σopB they always get a

non-negative payoff. This corresponds to the Definition 1 of weak immunity.

24

Figure 9: The game tree of Γop

B.3 Closing moduleLet us consider the context in which both players have opened a channel and they have intentionto close it. As described in Section 3.2, A and B have both a copy of a transaction that allowsthem to close the channel unilaterally. Indeed, A and B own respectively two commitments C1a·Band C1bA· signed by the other part. If they add their signature, respectively C1aAB and C1bAB ,they can unilaterally publish a transaction that returns the values stuck in the fund xA and xBback to their owners. The user that closes the channel unilaterally receives her part of the fundafter ∆ blocks, while the other user receives it immediately. Since users prefer to receive theirasset immediately, the protocol recommends to create a new transaction, namely ES, that makesF send xA and xB respectively to A and B immediately. We model the situation with the followinggame in normal form (cf. Definition 11).

Definition 21. The closing game Γcl = 〈N,S , u〉 of the channel (xA, xB) with xA, xB > 0 isa game in normal form, with two players N = A,B who have available three different purestrategies each: SA = C1aAB , N,ES and SB = C1bAB , N,ES. The value of the utility canbe found in the following payoff table.

BC1bAB N ES

C1aAB ( 12 ,

12 ) (0, 1) (0, 1)

A N (1, 0) (−1,−1) (−1,−1)ES (1, 0) (−1,−1) (1, 1)

Player A can either unilaterally close the channel by signing and publishing C1aAB on theBitcoin blockchain, seek a deal with B in order to publish ES or simply do nothing N . Analogouslyplayer B can unilaterally publish C1bAB or choose any of the other two strategies.

The protocol recommends the joint strategy σcl = (ES,ES), i.e. that they both seek a deal.The players receive null payoffs if they get their asset within ∆ blocks, because they return to the

25

initial state. For instance, this is case for player A if the joint strategy chosen by the players is(C1aAB , ES), i.e. if B seeks a deal but A unilaterally closes the channel. The players receive apositive outcome (normalised to 1) if they receive their asset immediately, as for instance if theyreach a deal (ES,ES). The players receive a negative outcome (normalised to −1) if their asset isstuck in the channel, such as in the case in which A seeks a deal but B does nothing (N,ES). Incase both users decide to unilaterally close the channel (C1aAB , C2aAB), only one between C1aand C1b can be published. They have the same chance ( 1

2 ) for their transaction to published,leading to any of the state (0, 1) and (1, 0) with equivalent probability.

Theorem 12. Under the assumption xA > 0 or xB > 0, the mechanism (Γcl, σcl) is optimalresilient, but not weak immune.

Proof. The outcome u(σcl) = (1, 1) cannot be increased by any other joint strategy, therefore it isPareto efficient, therefore the joint strategy σcl is a strong equilibrium. Thanks to Proposition 1we know that every strong equilibrium provides a strongly resilient joint strategy.For both player the strategy N is weakly dominated by the strategy ES. Indeed, no matterwhat the other player does, the ES always provides the same or even a better utility than N . Ifwe exclude both strategies N the players have available only two strategies: C1aAB , ES andC1bAB , ES. Once again, ES dominates the other strategy by providing a better outcome. Theonly strategy that survives the iterated deletion of weakly dominated strategies for both players isES. Therefore the only stable Nash equilibrium is σcl = (ES,ES). Thanks to Proposition 2 wecan say that a stable equilibrium provides a practical mechanism.To prove that the mechanism is not weak immune it is enough to show a counterexample. Indeed,if A chooses ES as required by the protocol and B chooses the Byzantine strategy N , player Areceives a negative outcome uA(σcl

A , N) = uA(ES,N) = −1.

As a corollary, if the mechanism is not weak immune, it is not immune either. We provide analternative protocol that can satisfy this property.

Theorem 13. Under the assumption xA > 0 or xB > 0, the only weak immune mechanism is(Γcl, σ∗) with σ∗ = (C1aAB , C2aAB).

Proof. In order to identify weak immune mechanisms we apply Proposition 7. We consider playerA and the game Γcl

A in which B is the adversarial player, whose utility is the opposite of playerA’s. The payoff matrix of the game Γcl

A is the following:B

C1bAB N ESC1aAB ( 1

2 ,−12 ) (0, 0) (0, 0)

A N (1,−1) (−1, 1) (−1, 1)ES (1,−1) (−1, 1) (1,−1)

The Nash equilibria of the game are in the form (C1aAB , 0, p, 1 − p) with 0 ≤ p ≤ 12 , which

provide outcome (0, 0). Since the value of the game v = 0 is non-negative, the strategy C1aAB isthe only weak immune strategy for player A.Analogously we can define the game Γcl

B in which A is the adversarial player, which lets us provethat C1bAB is the only weak immune strategy for player B. Therefore (C1aAB , C1bAB) is the onlyjoint strategy that provides a weak immune mechanism.

If we drop the assumption that both players fund the channel, we have to consider a differentmodelisation. For instance, if B does not fund the channel we have that xB = 0. No matterwhat her strategy chooses, she gets nothing. We fix the utility of any outcome to 1 because itcorresponds to the outcome of closing the channel. The payoff matrix of the game is the following:

BC1bAB N ES

C1aAB ( 12 , 1) (0, 1) (0, 1)

A N (1, 1) (−1, 1) (−1, 1)ES (1, 1) (−1, 1) (1, 1)

26

This is a case of degenerate game, in which player B can theoretically choose any possiblestrategy, even doing nothing N . In this case, player A is forced to follow the weak immunemechanism (Γcl, σ∗). As a result, we believe that Lightning Network should include this alternativeprotocol at least for the case in which the channel is unilaterally funded.

B.4 Updating modulePerforming a transaction within a channel consists in updating its balance. Technically, the pre-vious commitments (C1a and C1b) with balance (xA, xB) are replaced by two new commitments(C2a and C2b) with different balance (x′A, x

′B). In order to prevent players from publishing old

commitments, the players sign two Breach Remedy Transactions (BR1a and BR1b), that caninvalidate C1a and C2b. Specifically, if user A publishes the outdated commitment C1a user Breceives xB immediately, while the remaining xA are stuck in the fund for ∆ blocks. The com-mitment BR1a, if published by B, lets her retrieve also the remaining xA. Briefly speaking, ifany part publishes an outdated commitment the other part can retrieve all the assets in the fund.In practice the players have an incentive to delete outdated commitments to limit the risk of anunintentional leak, that could provoke their publication and thus the loss of all the assets storedin the channel. The protocol involves the following steps:

1. A creates a transaction C2b that allows F to send x′A to A and to send x′B to B. B is able tospend x′B only after that ∆ blocks are validated. A signs C2b and sends it to B.

2. B creates a transaction C2a that allows F to send x′A to A and to send x′B to B. A is able tospend x′A only after that ∆ blocks are validated. B signs C2a and sends it to B.

3. A creates a transaction BR1a that lets B retrieve xA in case A publishes C1a and B publishesBR1a within the following ∆ blocks. Then A sends BR1a to B.

4. B creates a transaction BR1b that lets A retrieve xB in case B publishes C1b and A publishesBR1b within the following ∆ blocks. Then B sends BR1b to A.

Figure 10: Scheme of the commitments to update the balance of the channel [39].

We formalise the protocol with a game in extensive form (cf. Fig. 11). The initial statecorresponds to the previous balance (with thus null utility), the final state to the updated balance(with utility equal to 1). One may question that with the updated balance one of the two party isreceiving a smaller asset, but this does not consist in receiving a lower utility, because updating thebalance guarantees the exchange of a different asset which is more valuable than the asset storedin the channel. We assign a negative value to the states in which players lose their assets or partof them.

27

Definition 22. The updating game Γup is a game in extensive form, with two players N = A,Band 5 nodes, labeled by a number (1 is the vertex):

1. A has two actions available: C2b··, which provides outcome (0, 0); C2bA·, which leads to node2.

2. B has three actions available: C2a··, which provides outcome (0, 0); C2bAB , which providesoutcome (1, 1); C2a·B , which leads to node 3.

3. A has three actions available: BR1a··, which provides outcome (0, 0); C2aAB , which providesoutcome (1, 1); BR1aA·, which leads to node 4.

4. B has two actions available: BR1b·B , which provides outcome (1, 1); BR1b··, which leads tonode 5.

5. A has two actions available: C1aAB , which provides outcome (−1, 1); C2aAB , which providesoutcome (1, 1).

The protocol recommends to sign both new commitments and the breach remedy transactions,i.e. it corresponds to the joint strategy σup = (C2bA·, BR1aA·, C2aAB, C2a·B , BR1b·B), inwhich the actions are played respectively at nodes (1, 3, 5, 2, 4). At nodes 2 and 3 respectivelyB and A can enforce the new commitments by publishing them on the Bitcoin blockchain and thusclosing the channel. At node 4 B can refuse to provide the breach remedy transaction to A, who atnode 5 can then publish the new commitment enforcing the closure of the channel. If at node 5 Apublishes the old commitment C1a, B can retrieve all the funds by publishing the breach remedytransaction BR1a.We now analyze the properties of the mechanism, considering as hypothesis that it is possible topublish a transaction within ∆ blocks, otherwise it is not possible to publish the breach remedytransactions in time.

Theorem 14. Under the assumption that it is possible to publish a transaction within ∆ blocks,the mechanism (Γup, σup) is not immune.

Proof. Since we are considering a game with only two players, a mechanism is immune if it is1-immune. A mechanism is 1-immune (cf. Definition 18) if any player receives the same out-come by playing the recommended strategy, no matter which strategy the other player chooses.This is not the case of the mechanism (Γup, σup), indeed if player A chooses σup

A and player Bchooses C2a··, BR1b·B 6= σup

B the payoff for player A is uA(σupA , C2a··, BR1b·B) = 0 < 1 =

uA(σupA , σup

B ).

The property of immunity is too strong in this case, therefore we consider other weaker prop-erties.

Theorem 15. Under the assumption that it is possible to publish a transaction within ∆ blocks,the mechanism (Γup, σup) is optimal resilient and weak immune.

Proof. The outcome for the joint strategy σup is (1, 1), which cannot be increased by any otherjoint strategy. Therefore, the outcome is Pareto efficient and σup is a strong equilibrium. Thanksto Proposition 1 we can say that a strong equilibrium provides a strongly resilient mechanism.In order to prove that the mechanism is resilient, we have to exclude weakly dominated strategies.Since it is cumbersome to list all the strategies, we proceed by excluding all the actions that areincluded in a weakly dominated strategy. At node 1 A receives always a better outcome by pickingaction C2bA· rather than C2b··, thus C2b·· is never included in a practical mechanism. At node2 B never plays the action C2a··, at node 3 A never plays BR1a·· and at node 5 A never playsC1aAB . The remaining joint strategies, included σup, provide outcome (1, 1). Since they all survivethe iterated deletion of weakly dominated strategies, they are all practical mechanisms. Thanksto Corollary 1 we know that there always exists at least one practical mechanism. However, thereader should keep in mind that this might not be unique.In order to prove that the mechanism is weak immune we apply Proposition 3. We consider oneplayer i at a time and we make the other player j adversarial, by fixing her outcome as the opposite

28

of player i (cf. Fig. 12). Then we prove that the best response of player j to player i never leadsher to a negative outcome. We take i = A and we consider the game Γup

A in which player j = Bhas utility opposite to player i. The best response of player j to the strategy σup

A picked by playeri is the strategy C2a, BR1b··, i.e. at node 2 to avoid to reach a deal by not signing C2a. Thepayoff for player A is uA(σup

A , C2a, BR1b··) = 0, which is non-negative. Analogously we considerthe game Γup

B in which i = B is the picked player and j = A is the adversarial player, with utilityopposite to player i. The best response for j to strategy σup

B is C2b··, BR1a··, x with x anypossible action at node 5, which provides a non-negative payoff uB(C2b··, BR1a··, x, σup

B ) = 0.Since both adversarial games provide non-negative payoff, thanks to Proposition 3 we get that themechanism is weak immune.

Figure 11: The game tree of Γup

29

Figure 12: The game trees of ΓupA and Γup

B

B.5 Hashed Timelock Contract moduleA bidirectional payment channel only allows transactions inside a channel. In order to performtransactions through a network of channels Lightning Network introduces an additional construc-tion, called Hashed Timelock Contract (HTLC). The HTLC allows to create transactions that canbe triggered at will. The HTLC makes use of the hash function, a deterministic caotic functionthat maps any input x to a fixed-length string y = hash(x). It is not possible to retrieve x giveny in a faster way than trying with a bruce-force method to randomly guess x. Hence if x is chosenamong strings of considerable length, it is almost impossible to identify x given by y = hash(x)in a reasonable time. Let us suppose that users A and B open a channel with balance (xA, xB)and A wants to send a payment through HTLC to B so that the new balance would be (x′A, x

′B),

with xA < x′A. A creates a random data R and then computes H = hash(R). Then she sends anupdate of the contract to B, with a specific characteristic: if B publishes it, she can retrieve thedifference x′B − xB only if she proves to know x such that H = hash(x) within ∆ blocks (in [39]∆ = 1000). A can trigger the contract by providing R to B. If she does not do it, B cannot findx = R and thus has no incentive to publish the contract. The HTLC protocol works as follows:

1. A creates a commitment C2b that allows F to send x′A to A, xB to B after ∆ blocks andx′B − xB to B if she publishes x such that H = hash(x) to the Bitcoin blockchain within ∆blocks. A signs it and sends it to B.

2. Analogously, B creates a set of commitment C2a that allows F to send x′B to B, xA to Aafter ∆ blocks and x′B − xB to B if she publishes x such that H = hash(x) to the Bitcoinblockchain within ∆ blocks. B signs it and sends it to A.

3. A creates a transaction BR1a that lets B retrieve xA in case A publishes C1a and B publishesBR1a within the following ∆ blocks. Then A sends BR1a to B.

30

4. B creates a transaction BR1b that lets A retrieve xB in case B publishes C1b and A publishesBR1b within the following ∆ blocks. Then B sends BR1b to A.

The protocol for the HTLC corresponds to the protocol for updating a channel, with the only dif-ference that the new commitments C2a and C2b provide a different output. Under the assumptionthat a transaction (or just the key R) can be published within ∆ blocks, we can define a gameΓhtlc with the very same structure as Γup (cf. Definition 5 and Fig. 11). Following the protocolcorresponds to the joint strategy σhtlc. Hence we can introduce the following theorem.

Theorem 16. Under the assumption that it is possible to publish a transaction within ∆ blocks,the mechanism (Γhtlc, σhtlc) is optimal resilient and weak immune, but not immune.

Proof. Since the mechanisms (Γhtlc, σhtlc) and (Γup, σup) follow the very same structure, we canapply Theorem 5.

Figure 13: Scheme of the commitments of the HTLC [39].

31

B.6 Routing moduleLightning Network allows payments also between two users, namely A and C, who do not sharea channel. The requirement for a routed payment is to find a path of channels between the twousers, i.e. a sequence of users who two-by-two share a channel. Let us consider the case of a singleintermediate node, namely B: users A and B have an opened channel with balance (xA, xB), whileB and C have opened a different channel with balance (yB , yC). Let us suppose that A wishes tosend δ to C. Informally, A sends δ + ε to B and B sends δ to C, where ε ≥ 0 is the fee given tothe intermediate node B. Since the channel are opened the two payments consists in updating thebalance of the two channels: (xA, xB)→ (xA − δ − ε, xB + δ + ε) and (yB , yC)→ (yB − δ, yC + δ).The protocol for routed payments lets the receiver C trigger both payments at the same moment:

1. C creates a random data R and hashes it: H = hash(R). Then, she sends H to A.

2. A creates a HTLC, namely HAB of value δ + ε locked with H and sends it to B.

3. B creates a HTLC, namely HBC of value δ locked with H and sends it to C.

4. C discloses R to B, hence validating HBC .

5. B discloses R to A, thus validating HAB .

Figure 14: The game tree of Γrout

We formalise the protocol with a game in extensive form (cf. Fig. 14). The initial state consists inthe initial balance and it is assigned null utility. The final state corresponds for A and C to fulfillthe payment, for B to receive the fee ε. The final state has positive payoff, normalised to 1. Anystate that consists in a loss of assets is assigned negative payoff.

Definition 23. The routing game Γrout is a game in extensive form, with three players N =A,B,C and 5 nodes, labeled by a number (1 is the vertex):

32

1. C has two actions available: either N , not sending H to A, which provides outcome (0, 0, 0),or Y , sending H to A, which leads to node 2.

2. A has two actions available: either HAB· , which provides outcome (0, 0, 0), or HAB

A , whichleads to node 3.

3. B has two actions available: either HBC· , which provides outcome (0, 0, 0), or HBC

B , whichleads to node 4.

4. C has two actions available: either N , not disclosing R to B, which provides outcome (0, 0, 0),or Y , disclosing R to B, which leads to node 5.

5. B has two actions available: eitherN , not disclosingR to A, which provides outcome (1,−1, 1)or Y , disclosing R to A, which provides outcome (1, 1, 1).

At node 1 C creates the lock H and its key R. At node 2 and 3 the two HTLCs are created.At node 4 C triggers the payment in the channel that she shares with B. At node 5 B triggers thepayment in the channel that she shares with A. If at step 5 B does not trigger the payment, A andC reach the final state, because C has received the payment, also if A has not paid for it.The recommended joint strategy is σrout = (HAB

A , HBCB , Y , Y, Y ), respectively played at

nodes (2, 3, 5, 1, 4). The payoff are as shown only under the assumption that in both HTLCsthe transactions can be triggered. We analyze the protocol under this assumption.

Theorem 17. Under the assumption that in both HTLCs the transactions can be triggered,(Γrout, σrout) is not immune.

Proof. Since the game Γrout has three players, the mechanism is immune if it is 1-immune and 2-immune. To prove that the mechanism is not immune, it is enough to prove that it is not 1-immune.A mechanism is 1-immune (cf. Definition 18) if any player who chooses the recommended strategyreceives the same outcome, no matter what any Byzantine player can choose. This property is notfulfilled. Indeed, if A picks the strategy HAB

· , the outcome for C is lower: uC(HAB· , σrout

B , σroutC ) =

0 < 1 = uC(σroutA , σrout

B , σroutC ) = uC(σrout).

The property of immunity is too strong for this protocol, therefore we consider the otherproperties.

Theorem 18. Under the assumption that in both HTLCs the transactions can be triggered,(Γrout, σrout) is optimal resilient and weak immune.

Proof. The outcome u(σrout) = (1, 1, 1) is Pareto efficient, indeed there is no other strategy thatcan improve any of the payoffs. Thus σrout is a strong equilibrium and thanks to Proposition 1 wehave that a strong equilibrium provides a strongly resilient mechanism.In order to prove that the mechanism is practical, we proceed by excluding the actions that belongsto weakly dominated strategies. At node 5 B never plays N because she would receive −1 ratherthan 1. Therefore at node 4 C never chooses N because she would receive 0 rather than 1.Analogously at nodes 3, 2 and 1 players do not choose alternative actions, because they wouldreceive 0 rather than 1. The joint strategy σrout is the only one that survives the iterated deletionof weakly dominated strategies, hence the mechanism is practical.In order to prove that the mechanism is weak immune we apply Proposition 3. We consider oneplayer i at a time and we introduce an adversarial player j that plays at any node which is notplayed by i (cf. Fig. 15). We define the game Γrout

i which has the same structure, two players i andj and utility function for j opposite to the one of player i. In games Γrout

A and ΓroutC respectively

A and C never receive negative payoffs. In game ΓroutB player B never receives negative payoff if

she plays σroutB . For Proposition 3, since all the adversarial games Γrout

i do not provide negativepayoff if the players follow the recommended strategy σrout

i , the mechanism is weak immune.

Once R is disclosed in one of the two channel, Lightning Network provides a protocol in order tosolve the HTLC (see Section B.5). Every HTLC can be modeled with a mechanism: (ΓAB , σAB)for HAB and (ΓBC , σBC) for HBC . The two channels are independent one from another, thuswe can consider the composition of the two games (cf. Definition 2) and define the mechanism

33

(ΓAB ΓBC , σABi , σBC

i ). The protocol for routed payments is independent from the protocolfor HTLC, because it is external with respect to the channel, while the HTLCs work within thechannel. However, the routed payments are carried out only if in both HTLCs the transactions canbe triggered, i.e. if every transaction can be published within ∆ blocks (cf. Section B.5). Thereforewe consider this assumption and define the general game ΓroutΓABΓBC to represent the generalclass of protocols that allows routed payments to be performed. We analyze the properties of themechanism (Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ).

Theorem 19. Under the assumption that every transaction can be published within ∆ blocks, themechanism (Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ) is optimal resilient and weak immune.

Proof. The operator composition is invariant with respect the properties of the mechanisms.Thanks to Theorems 6 and 16 we have that (Γrout, σrout), (ΓAB , σAB) and ΓBC , σBC are practical.Therefore, with Proposition 5 we have that their composition (ΓroutΓABΓBC , σrout

i , σABi , σBC

i )is practical.Analogously, thanks to Theorems 6 and 16 we have that every single mechanism is k-resilientfor all k and t-weak-immune for all t. Propositions 6 and 7 let us say that the composition(Γrout ΓAB ΓBC , σrout

i , σABi , σBC

i ) is k-resilient for all k and t-weak-immune for all t, i.e. itis strongly resilient and weak immune.

Figure 15: The game trees of ΓroutA , Γrout

B and ΓroutC

34

B.7 Side-chainA different solution to overcome the scalability and privacy problems of blockchains is offered byPlatypus [38], a protocol that allows a group of users to create a childchain that can handle offchaintransactions without the need of synchrony among peers. In this section we consider the protocolto create a Platypus chain, described in Fig. 16. Briefly speaking, the protocols lets the chainvalidators broadcast to the other peers the transactions until the number of validators that haveconfirmed the transactions overcome a defined threshold. We model the situation with a game inextensive form. The processes are represented by the players of the game, that can be split in twocategories: validators V and normal users U . The total number of users |N | = |U ∪ V | is denotedby mv. Normal users have utility 1 if their transaction is successfully published, 0 if they get backto the initial state, −1 if they lose anything in the process. The validators have utility n, with nthe number of valid transactions which are broadcast. The protocol is divided into phases. Everyphase consists of players acting at the same time, indeed we work under the assumption that thebroadcast of any of the players involved is subsequent to the action of every other player. If thiscondition is not fulfilled, it would be necessary to consider different phases instead of one, with thesame structure.

Definition 24. The creation game is a game Γcr in extensive form, where N = U ∪V is the set ofplayers. Every phase corresponds to a node of the tree, at which processes play at the same time.

• Phase 1; only the process p0 is involved. The process p0 has two actions: either complete itY or not N . If she does not, the outcome is 0 for all players.

• Phase 2; every process within normal users play at the same time. Everyone dispose of thesame two actions: broadcasting their message Y or not N . If the message is not broadcastfor player i, her utility is always 0.

• Phase 3; the validators can choose within a set of actions au with u ⊆ U , i.e., they canvalidate all the messages for the users within the set u. The cardinality of the set of theiractions is equal to 2|U |. The utility for the validators corresponds to the number of validtransactions which are broadcast.

• Phase 4; the validators can choose within a set of actions in the form (bt, st′), where t andt′ are any subset of transactions broadcast in Phase 3. The action b consists in broadcastingthe transactions belonging to the set t until b2mv/3c+ 1 validators receive it, while s meansto send the transactions in t′.

We define the mechanism (Γcr, σcr), where σcr ∈ S is the strategy of following the protocol, i.e.for normal users u the strategy is σcr

u = Y , while for validators v the strategy is σcrv = (au∗ , bt∗ , st∗),

where u∗ is the set of users who send a message and t∗ is the set of transactions broadcast in Phase3.

Theorem 20. The mechanism (Γcr, σcr) is not t-immune for any t.

Proof. It is enough to prove that the mechanism is not 1-immune. A mechanism is 1-immune ifevery player does not reduce her utility if only one other player is choosing a Byzantine behaviour(cf. Definition 18). This property is not fulfilled, indeed if in Phase 1 the process p0 chooses Nrather than σcr

p0= Y , the utility for every player is 0, which is lower than the utility provided by

σcr.

Theorem 21. The mechanism (Γcr, σcr) is optimal resilient and bmv

3 c-weak-immune.

Proof. σcr is a strong Nash equilibrium. Indeed, under the joint strategy σcr the validators considerall the processes (u = t = U), thus their utility reach its maximum |U |. The other users have onlytwo strategies, where broadcasting their message is the only strategy played at the equilibrium.Therefore we have a Pareto efficient outcome. Following Proposition 6 we know that the mechanismis strongly resilient.For normal users the strategy Y dominates N (the utility is 1 which is larger then 0), while forvalidators (aU , bU , sU ) dominates every other strategy: indeed, any other strategy would provide

35

Figure 16: Algorithm to create a chain in Platypus [38].

a payoff lower than |U |. Therefore the joint strategy σcr is the only one with weakly dominatingstrategies, thus thanks to Proposition 5 we get that the mechanism is practical.In order to prove weak immunity, we apply Proposition 7. We need to prove that every player nevergets negative utility when following the protocol, when all the other players become adversarial.The validators have never negative utility, thus it is enough to prove that neither the other usersdo. In the worst case scenario for user u ∈ U a wrong process is validated. To do so, anotheruser u′ ∈ U should be publish it and the validators should approve it. Under the assumption thatthere at most bmv

3 c corrupted processes, in [38] it is proved that this is not possible. The prooffollows from the intuition that the Byzantine validators own less than a third of the network theycannot validate two different transactions including one which can damage the user u. Thereforeusers never get negative utility if there are at most bmv

3 c Byzantine players. This corresponds tothe definition of bmv

3 c-weak-immunity (cf. Definition 1).

36

B.8 Cross-chain swapIn this section we analyze the protocol introduced in [35], that allows two users to swap assetsthat belongs to two different blockchains, which do not communicate with each other. In [24] atheoretical model is set to prove that the protocol is correct for those players who are altruistic, nomatter what the other players do. We rephrase the proof within our model, providing a result interms of (k, t)-weak-robustness. In the example proposed by [35] user A trades bitcoins for altcoinswith user B. Bitcoins and altcoins belong to two different blockchains. The protocol stands on theproperty of the hash function, introduced in Section B.5. The hash function allows to map a stringx to y = hash(x) such that given y it is almost impossible to retrieve x. Briefly speaking, A createsa random string x, computes y = hash(x), creates a transaction on the Bitcoin blockchain thatsends an amount of bitcoins to B under the condition that B identifies z such that y = hash(z).Then, B creates a transactions on the Altcoin blockchain that sends an amount of altcoins to Aunder the condition that A provides z such that y = hash(z). A discloses x, thus validating bothtransactions.

Specifically, A creates two transactions on the Bitcoin blockchain: TX1, that lets B receive anamount of bitcoins if she provides x, and TX2, that gives back the amount to A if B does notprovide x within ∆1 hours (in [35] ∆1 = 48). B creates two transactions on the Altcoin blockchain:TX3, that lets A receive an amount of altcoins if she provides x, and TX4, that gives back theamount to B if A does not provide x within ∆2 hours (in [35] ∆2 = 24). The theoretical boundsfor ∆1 and ∆2 are provided in [24]. In a context with two players, the condition is that ∆1 ≥ 2∆2.From now on we consider the assumption that ∆1 and ∆2 fulfill the properties set in [24], andspecifically we have that min(∆1,∆2) = ∆2.

Since the two blokchains are independent we model the protocol with two different games. Weset to 0 the utility of the initial state, 1 the utility of every state in which the player receive what isasked, −1 the utility of every state in which the player gives some coins without receiving any. TheBitcoin blockchain is represented by game G1, while the Altcoin blockchain by G2 (cf. Fig. 17). Wework under the assumption that a transaction can be published within min(∆1,∆2) = ∆2 hours.

Definition 25. The Bitcoin game is an extensive form game G1 with 2 players N = A,B and5 nodes (1 is the vertex):

1. A can either Y , pick a random string x, create TX1 and TX2, then send TX2 to B, or doingnone of them N . The action Y leads to node 2, while the action N leads to the outcome(0, 0).

2. B can either Y , sign TX2, that leads to node 3, or N refusing to do it, with outcome (0, 0).

3. A can either do nothing N , with thus outcome (0, 0), or Y publish TX1 on the Bitcoinblockchain, that leads to node 4.

4. Both A and B have available two actions: either Y publish TX2 before that x is revealed orN not. If any of the two does so, the outcome is (0, 0). Otherwise, A reveals x and (N,N)leads to node 5.

5. B can either Y publish x on the Bitcoin blockhain or N not doing it. If she does, the outcomeis (1, 1). If she does not, the outcome is (1,−1).

The joint strategy that corresponds to following the protocol is σ1 = (Y, Y,N, Y,N, Y ),respectively played at nodes (1, 3, 4, 2, 4, 5). Until x is revealed, the transactions cannot betriggered, therefore they provide null payoff. When x is revealed on the other chain, A has receivedthe altcoins (thus with payoff equal to 1). If at step 5 B reveals x, she triggers the contract andreceives the bitcoins (payoff equal to 1). Otherwise she has lost her asset in altcoins (negativepayoff −1).

Definition 26. The Altcoin game is an extensive form game G2 with 2 players N = A,B and5 nodes (1 is the vertex):

1. B can either Y , create TX3 and TX4 and send the latter to A, or doing nothing N . Theaction Y leads to node 2, while the action N leads to the outcome (0, 0).

37

2. A can either Y , sign TX4, that leads to node 3, or N refusing to do it, with outcome (0, 0).

3. B can either do nothingN , with thus outcome (0, 0), or publish TX3 on the Altcoin blockchain(Y ), that leads to node 4.

4. Both A and B have available two actions: either publish TX4 (Y ) before that x is revealed ornot (N). If any of the two does so, the outcome is (0, 0). Otherwise, A reveals x and (N,N)leads to node 5.

5. A can either publish x on the Altcoin blockhain (Y ) or not doing it (N). If she does, theoutcome is (1, 0). If she does not, the outcome is (0, 0).

The joint strategy that corresponds to following the protocol is σ2 = (Y,N, Y , Y, Y,N),respectively played at nodes (2, 4, 5, 1, 3, 4). Until x is revealed, the transactions cannot betriggered, therefore they provide null payoff. When x is revealed, A receives the altcoins (thus withpayoff equal to 1). B does not know if he receives the asset, hence her payoff is 0.

Since the two blockchains are independent, we consider the composition of the two games thatrepresents them and analyze its properties.

Theorem 22. Under the assumption that any transaction can be published within a time interval[0,∆2], the mechanism (G1 G2, σ1i, σ2i) is not immune.

Proof. The joint strategy σ1i, σ2i provides outcome

uG1G2(σ1i, σ2i) = uG1

(σ1) + uG2(σ2) = (1, 1) + (1, 0) = (2, 1)

If B considers a strategy σ∗B that lets her play action N at node 2 of the Bitcoin game and actionN at node 1 of the Altcoin game, the outcome is

uG1G2(σ1A, σ2A, u∗B) = uG1

(σ1A, σ∗1B) + uG2

(σ2A, σ∗2B) = (0, 0) + (0, 0) = (0, 0)

thus reducing the payoff for player A. In a two-player game a mechanism is immune if it is 1-immune (cf. Definition 18), but in this case A receives a loss if B performs a specific Byzantinbehaviour.

Theorem 23. Under the assumption that any transaction can be published within an interval oftime ∆2, the mechanism (G1 G2, σ1i, σ2i) is optimal resilient and weak immune.

Proof. It is enough to prove that the two mechanisms (G1, σ1) e (G2, σ2) satisfy the properties andthen exploit the properties of the operator composition of games.In game G1 the joint strategy σ1 is the only one with outcome (1, 1), which is maximal. Thus theoutcome is Pareto efficient and the equilibrium is strong. Thanks to Proposition 1 we have that(G1, σ1) is strongly resilient.Every strategy different from σ1 is weakly dominated, indeed they bring to either outcome −1 or0, which is lower than u1(σ1) = (1, 1). Thus σ1 is a stable Nash equilibrium and for Proposition 2we have that the mechanism (G1, σ1) is practical.In order to prove weak immunity we apply Proposition 3. When following respectively strategiesσ1A and σ1B both A and B never get negative utility. Therefore the mechanism (G1, σ1) is alsoweak immune.In game G2 the joint strategy σ2 produces a Pareto efficient outcome (1, 0), thus for Proposition 1we have that the mechanism (G2, σ2) is strongly resilient.The strategies within σ2 are never weakly dominated, because none of the others can provide abetter outcome. Hence the mechanism is practical.Every outcome is non-negative, therefore the mechanism is weak immune.

Since both mechanisms are optimal resilient and weak immune, we can apply Propositions 5, 6and 7, that ensure the invariance of the properties once the operator composition is applied. Themechanism (G1 G2, σ1i, σ2i) is thus optimal resilient and weak immune.

38

Figure 17: The game trees of G1 and G2.

39